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Abstract 

Compilers  for  polymorphic  languages  can  use  runtime  type  in¬ 
spection  to  support  advanced  implementation  techniques  such  as 
tagless  garbage  collection,  polymorphic  marshalling,  and  flattened 
data  structures.  Intensional  type  analysis  is  a  type-theoretic  frame¬ 
work  for  expressing  and  certifying  such  type-analyzing  computa¬ 
tions.  Unfortunately,  existing  approaches  to  intensional  analysis 
do  not  work  well  on  types  with  universal,  existential,  or  fixpoint 
quantifiers.  This  makes  it  impossible  to  code  applications  such  as 
garbage  collection,  persistency,  or  marshalling  which  must  be  able 
to  examine  the  type  of  any  runtime  value. 

We  present  a  typed  intermediate  language  that  supports  fully 
reflexive  intensional  type  analysis.  By  fully  reflexive,  we  mean  that 
type-analyzing  operations  are  applicable  to  the  type  of  any  runtime 
value  in  the  language.  In  particular,  we  provide  both  type-level  and 
term-level  constructs  for  analyzing  quantified  types.  Our  system 
supports  structural  induction  on  quantified  types  yet  type  checking 
remains  decidable.  We  show  how  to  use  reflexive  type  analysis  to 
support  type-safe  marshalling  and  how  to  generate  certified  type¬ 
analyzing  object  code. 

Keywords:  certified  code,  runtime  type  dispatch,  typed  intermedi¬ 
ate  language. 

1  Introduction 

Runtime  type  analysis  is  used  extensively  in  various  applications 
and  programming  situations.  Runtime  services  such  as  garbage  col¬ 
lection  and  dynamic  linking,  applications  such  as  marshalling  and 
pickling,  type-safe  persistent  programming,  and  unboxing  imple¬ 
mentations  of  polymorphic  languages  all  analyze  types  to  various 
degrees  at  runtime.  Most  existing  compilers  use  untyped  intermedi¬ 
ate  languages  for  compilation;  therefore,  they  support  runtime  type 
inspection  in  a  type-unsafe  manner.  In  this  paper,  we  present  a  stat¬ 
ically  typed  intermediate  language  that  allows  runtime  type  analy¬ 
sis  to  be  coded  within  the  language.  This  allows  us  to  leverage  the 
power  of  dynamically  typed  languages,  yet  retain  the  advantages  of 
static  type  checking. 

Supporting  runtime  type  analysis  in  a  type-safe  manner  has 
been  an  active  area  of  research.  This  paper  builds  on  existing 
work  [8]  but  makes  the  following  new  contributions: 

*This  research  was  sponsored  in  part  by  the  Defense  Advanced  Research  Projects 
Agency  ISO  under  the  title  “Scaling  Proof-Carrying  Code  to  Production  Compilers 
and  Security  Policies,”  ARPA  Order  No.  H559,  issued  under  Contract  No.  F30602- 
99-1-0519,  and  in  part  by  NSF  Grants  CCR-9633390  and  CCR-990101 1.  The  views 
and  conclusions  contained  in  this  document  are  those  of  the  authors  and  should  not 
be  interpreted  as  representing  the  official  policies,  either  expressed  or  implied,  of  the 
Defense  Advanced  Research  Projects  Agency  or  the  U.S.  Government. 


•  We  support  fully  reflexive  type  analysis  at  the  term  level. 
Consequently,  programs  can  analyze  any  runtime  value  such 
as  function  closures  and  polymorphic  data  structures. 

•  We  support  fully  reflexive  type  analysis  at  the  type  level. 
Therefore,  type  transformations  operating  on  arbitrary  types 
can  be  encoded  in  our  language. 

•  We  prove  that  the  language  is  sound  and  that  type  reduction 
is  strongly  normalizing  and  confluent. 

•  We  show  a  translation  into  a  type  erasure  semantics.  In  a 
type  preserving  compiler  this  provides  an  approach  to  typed 
closure  conversion  which  allows  generation  of  certified  object 
code. 

2  Motivation 

The  core  issue  that  we  address  in  this  paper  is  the  design  of  a  stati¬ 
cally  typed  intermediate  language  that  supports  runtime  type  anal¬ 
ysis.  Why  is  this  important?  Modern  programming  paradigms  are 
increasingly  giving  rise  to  applications  that  rely  critically  on  type 
information  at  runtime,  for  example: 

•  Java  adopts  dynamic  linking  as  a  key  feature,  and  to  ensure 
safe  linking,  an  external  module  must  be  dynamically  verified 
to  satisfy  the  expected  interface  type. 

•  A  garbage  collector  must  keep  track  of  all  live  heap  objects, 
and  for  that  type  information  must  be  kept  at  runtime  to  allow 
traversal  of  data  structures. 

•  In  a  distributed  computing  environment,  code  and  data  on  one 
machine  may  need  to  be  pickled  for  transmission  to  a  different 
machine,  where  the  unpickler  reconstructs  the  data  structures 
from  the  bit  stream.  If  the  type  of  the  data  is  not  statically 
known  at  the  destination  (as  is  the  case  for  the  environment 
components  of  function  closures),  the  unpickler  must  use  type 
information,  encoded  in  the  bit  stream,  to  correctly  interpret 
the  encoded  value. 

•  Type-safe  persistent  programming  requires  language  support 
for  dynamic  typing:  the  program  must  ensure  that  data  read 
from  a  persistent  store  is  of  the  expected  type. 

•  Finally,  in  polymorphic  languages  like  ML,  the  type  of  a  value 
may  not  be  known  statically;  therefore,  compilers  have  tradi¬ 
tionally  used  inefficient,  uniformly  boxed  data  representation. 
To  avoid  this,  several  modern  compilers  [24,  20,  26]  use  run¬ 
time  type  information  to  support  unboxed  data  representation. 
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When  compiling  code  which  uses  runtime  type  inspections, 
most  existing  compilers  use  untyped  intermediate  languages,  and 
reify  runtime  types  into  values  at  some  early  stage.  However,  dis¬ 
carding  type  information  during  compilation  puts  this  approach 
at  a  serious  disadvantage  when  it  comes  to  generating  certified 
code  [14]. 

Code  certification  is  appealing  for  a  number  of  reasons.  One 
need  not  trust  the  correctness  of  a  compiler  generating  certified 
code;  instead,  one  can  verify  the  correctness  of  the  generated  code. 
Checking  the  correctness  of  a  compiler-generated  proof  (of  a  pro¬ 
gram  property)  is  much  easier  than  proving  the  correctness  of  the 
compiler.  Secondly,  with  the  growth  of  web-based  computing,  pro¬ 
grams  are  increasingly  being  developed  at  remote  sites  and  shipped 
to  clients  for  execution.  Client  programs  may  also  download  mod¬ 
ules  dynamically  as  they  need  them.  For  such  a  system  to  be  prac¬ 
tical,  a  client  should  be  able  to  accept  code  front  untrusted  sources, 
but  have  a  means  of  verifying  it  before  execution.  This  again  re¬ 
quires  compilers  that  generate  certified  code. 

A  necessary  step  in  building  a  certifying  compiler  is  to  have  the 
compiler  generate  code  that  can  be  type-checked  before  execution. 
The  type  system  ensures  that  the  code  accesses  only  the  provided 
resources,  makes  legal  function  calls,  etc.  A  certifying  compiler 
can  support  runtime  type  analysis  only  in  a  typed  framework. 

The  safety  of  such  a  system  depends  not  only  on  the  down¬ 
loaded  code,  but  also  on  the  correctness  of  all  the  code  that  is  ex¬ 
ecuted  by  the  system  after  type  checking.  This  typically  includes 
the  runtime  services  like  garbage  collection,  linking,  etc.  This  code 
constitutes  the  trusted  computing  base  of  the  system.  Reducing  the 
trusted  computing  base  makes  the  system  more  reliable;  for  this, 
we  must  independently  verify  the  correctness  of  this  code.  This 
implies  that  as  many  of  the  runtime  services  as  possible  should  be 
written  in  a  type-safe  language,  which  requires  support  for  runtime 
type  analysis  in  a  typed  framework. 

Finally,  why  is  it  important  to  have  fully  reflexive  type  anal¬ 
ysis?  Why  do  we  want  to  analyze  quantified  types?  Many  type¬ 
analyzing  applications  mentioned  above  must  handle  arbitrary  run¬ 
time  values.  For  example,  a  pickier  must  be  able  to  pickle  any 
value,  including  closures  (which  have  existential  types),  polymor¬ 
phic  functions,  or  recursive  data  structures.  A  garbage  collector  has 
to  be  able  to  traverse  all  data  structures  in  the  heap  to  track  live  ob¬ 
jects.  Therefore  the  language  must  support  type  analysis  over  any 
runtime  value  in  the  language. 

2.1  Background 

Harper  and  Morrisett  [8]  proposed  intensional  type  analysis  and 
presented  a  type-theoretic  framework  for  expressing  computations 
that  analyze  types  at  runtime.  They  introduced  two  explicit  type- 
analysis  operators:  one  at  the  term  level  (typecase)  and  another 
at  the  type  level  (Typerec);  both  use  induction  over  the  structure 
of  types.  Type-dependent  primitive  functions  use  these  operators 
to  analyze  types  and  select  the  appropriate  code.  For  example,  a 
polymorphic  subscript  function  for  arrays  might  be  written  as  the 
following  pseudo-code: 

sub  =  Aa.  typecase  a  of 
int  =t-  intsub 
real  =>■  realsub 
(3  boxedsub  [/3] 

Here  sub  analyzes  the  type  a  of  the  array  elements  and  returns  the 
appropriate  subscript  function.  We  assume  that  arrays  of  type  int 
and  real  have  specialized  representations  (defined  by  types,  say, 
intarray  and  realarray),  and  therefore  special  subscript  functions, 
while  all  other  arrays  use  the  default  boxed  representation. 
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Figure  1 :  The  type  language  of  Harper  and  Morrisett 


Typing  this  subscript  function  is  more  interesting,  because  it 
must  have  all  of  the  types  intarray  — ♦  int  — >  int,  realarray  — > 
int  — >  real,  and  Va.  boxedarray  (a)  — >  int  — >  a.  To  assign  a  type 
to  the  subscript  function,  we  need  a  construct  at  the  type  level  that 
parallels  the  typecase  analysis  at  the  term  level.  In  general,  this 
facility  is  crucial  since  many  type-analyzing  operations  like  flatten¬ 
ing  and  marshalling  transform  types  in  a  non-uniform  way.  The 
subscript  operation  would  then  be  typed  as 

sub  :  Va.  Array  (a)  — »  int  — >  a 
where  Array  =  Aa.  Typecase  a  of 

int  intarray 
real  =>  realarray 
P  =>  boxedarray  /3 

The  Typecase  construct  in  the  above  example  is  a  special  case  of 
the  Typerec  construct  in  [8],  which  also  supports  primitive  recur¬ 
sion  over  types. 

2.2  The  problem 

The  language  of  Haiper  and  Morrisett  only  allows  the  analysis  of 
monotypes;  it  does  not  support  analysis  of  types  with  binding  struc¬ 
ture  (e.g.,  polymorphic,  existential  or  recursive  types).  Therefore, 
type  analyzing  primitives  that  handle  polymorphic  code  blocks, 
closures  (since  closures  are  represented  as  existentials  [12]),  or  re¬ 
cursive  structures,  cannot  be  written  in  their  language.  The  types 
in  their  language  (in  essence  shown  in  Figure  1)  are  separated  into 
two  universes,  constructors  and  types.  The  constructor  calculus  is 
a  simply  typed  lambda  calculus,  with  no  polymorphic  types.  The 
Typerec  operator  analyzes  only  constructors  of  base  kind  H: 

int  :  Q 

The  kinds  of  these  constructors'  arguments  do  not  contain  any  neg¬ 
ative  occurence  of  the  kind  fi,  so  int  and  — >  can  be  used  to  define 
Q  inductively.  The  Typerec  operator  is  essentially  an  iterator  over 
this  inductive  definition;  its  reduction  rules  can  be  written  as: 

Typerec  int  of  (rint;  t^)  T\nt 

Typerec  (n  — >  r2)  of  (rin t;  t_*) 

t— ,  n  T2  (Typerec  n  of  (rint;  r—))  (Typerec  r2  of  (tint;  t_>)) 

Here  the  Typerec  operator  examines  the  head  constructor  of  the 
type  being  analyzed  and  chooses  a  branch  accordingly.  If  the  type  is 
int.  it  reduces  to  the  Tint  branch.  If  the  type  is  n  — >  r2,  the  analysis 
proceeds  recursively  on  the  subtypes  n  and  r2.  The  Typerec  op¬ 
erator  then  applies  the  r_»  branch  to  the  original  component  types, 
and  to  the  result  of  analyzing  the  components;  thus  providing  a 
form  of  primitive  recursion. 

Types  with  binding  structure  can  be  constructed  using  higher- 
order  abstract  syntax.  For  example,  the  polymorphic  type  construc¬ 
tor  V  can  be  given  the  kind  (fl  — >  S2)  — >  fl,  so  that  the  type 
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Va  :  S3.  a  — ♦  a  is  represented  as  V  (Aa  :  fl.  a  — >  a).  It  would 
seem  plausible  to  define  an  iterator  with  the  reduction  rule: 

Typerec  (V  r)  of  (Tint;  r_;  tv) 

rv  t  (Xa:  0.  Typerec  ra  of  (Tint!  t_>;  tv)) 

However  the  negative  occurence  of  Q  in  the  kind  of  the  argument 
of  V  poses  a  problem:  this  iterator  may  fail  to  terminate!  Consider 
the  following  example,  assuming  r  =  Act :  Q.  a  and 

Ty  =  A/3i :  fl  — *  13.  A/32  :  13  — >  13.  /3 2  (V/3i) 
the  following  reduction  sequence  will  go  on  indefinitely: 

Typerec  (Vt)  of  (rint;  t^;  rv) 

rv  r  (Aa :  H.  Typerec  t  q  of  (rint;  t tv)) 

Typerec  (t  (V  t))  of  (Tint;  t_;  tv) 

Typerec  (Vt)  of  (Tint;  t^;  7v) 

.  .  . 

Clearly  this  makes  typechecking  Typerec  undecidable. 

Another  serious  problem  in  analyzing  quantified  types  involves 
both  the  type-level  and  the  term-level  operators.  Typed  interme¬ 
diate  languages  like  FLINT  [21]  and  TIL  [25]  are  based  on  the 
calculus  Fw  [5,  19],  which  has  higher  order  type  constructors.  In  a 
quantified  type,  say  3a :  k.  t,  the  quantified  variable  a  is  no  longer 
restricted  to  a  base  kind  13,  but  can  have  an  arbitrary  kind  k.  Con¬ 
sider  the  term-level  typecase  in  such  a  scenario: 

sub  =  Aa.  typecase  a  of 

i  nt  —t*  6int 

3 a :  k.  t  =>  eg 

To  do  anything  useful  in  the  eg  branch,  even  to  open  a  package  of 
this  type,  we  need  to  know  the  kind  n.  We  can  get  around  this  by 
having  an  infinite  number  of  branches  in  the  typecase,  one  for  each 
kind;  or  by  restricting  type  analysis  to  a  finite  set  of  kinds.  Both  of 
these  approaches  are  clearly  impractical.  Recent  work  on  typed 
compilation  of  ML  and  Java  has  shown  that  both  would  require  an 
.F^-like  calculus  with  arbitrarily  complex  kinds  [22,  23,  10]. 

2.3  Requirements  for  a  solution 

Before  we  discuss  our  solution,  let  us  look  at  the  properties  we  want 
it  to  have. 

First,  our  language  must  support  type  analysis  in  the  manner  of 
Harper/Morrisett.  That  is,  we  want  to  include  type  analysis  prim¬ 
itives  that  will  analyze  the  entire  syntax  tree  representing  a  type. 
Second,  we  want  the  analysis  to  continue  inside  the  body  of  a  quan¬ 
tified  type;  handling  quantified  types  parametrically,  or  in  a  uniform 
way  by  providing  a  default  case,  is  insufficient.  As  we  will  see  later, 
many  interesting  type-directed  operations  require  these  two  prop¬ 
erties.  Third,  we  do  not  want  to  restrict  the  kind  of  the  (quantified) 
type  variable  in  a  quantified  type;  we  want  to  analyze  types  where 
the  quantification  is  over  a  variable  of  arbitrary  kind. 

Consider  a  type-directed  pickier  that  converts  a  value  of  ar¬ 
bitrary  type  into  an  external  representation.  Suppose  we  want  to 
pickle  a  closure.  With  a  type-preserving  compiler,  the  type  of  a 
closure  would  be  represented  as  an  existential  with  the  environment 
held  abstract.  Even  if  the  code  is  handled  uniformly,  the  function 
must  inspect  the  type  of  the  environment  (which  is  also  the  witness 
type  of  the  existential  package)  to  pickle  it.  This  shows  that  at  the 
term  level,  the  analysis  must  proceed  inside  a  quantified  type.  In 
Section  3.2,  we  show  the  encoding  of  a  polymorphic  equality  func¬ 
tion  in  our  calculus;  the  comparison  of  existential  values  requires  a 
similar  technique. 


The  reason  for  not  restricting  the  quantified  type  variable  to  a 
finite  set  of  kinds  is  twofold.  Restricting  type  analysis  to  a  finite 
number  of  kinds  would  be  ad  hoc  and  there  is  no  way  of  satisfacto¬ 
rily  predetermining  this  finite  set  (this  is  even  more  the  case  when 
we  compile  Java  into  a  typed  intermediate  language  [10]).  More 
importantly,  if  the  kind  of  the  bound  variable  is  a  known  constant 
in  the  corresponding  branch  of  the  Typerec  construct,  it  is  easy  to 
generalize  the  non-termination  example  of  the  previous  section  and 
break  the  decidability  of  the  type  system. 

2.4  Our  solution 

The  key  problem  in  analyzing  quantified  types  such  as  the  poly¬ 
morphic  type  Va  :  S3,  a  — >  a  is  to  determine  what  happens  when 
the  iteration  reaches  the  quantified  type  variable  a,  or  (in  the  gen¬ 
eral  case  of  type  variables  of  higher  kinds)  a  normal  form  which  is 
an  application  with  a  type  variable  in  the  head. 

One  approach  would  be  to  leave  the  type  variable  untouched 
while  analyzing  the  body  of  the  quantified  type.  The  equational 
theory  of  the  type  language  then  includes  a  reduction  of  the  form 
(Typerec  a  of  . . .)  a  so  that  the  iterator  vanishes  when  it 
reaches  a  type  variable.  However  this  would  break  the  confluence 
of  the  type  language — the  application  of  Aa  :  13.  Typerec  a  of . . . 
to  t  would  reduce  in  general  to  different  types  if  we  perform  the 
/3-reduction  step  first  or  eliminate  the  iterator  first. 

Crary  and  Weirich  [1]  propose  another  method  for  solving  this 
problem.  Their  language  LX  allows  the  representation  of  terms 
with  bound  variables  using  deBmijn  notation  and  an  encoding  of 
natural  numbers  as  types.  To  analyze  quantified  types,  the  iterator 
carries  an  environment  mapping  indices  to  types;  when  the  iterator 
reaches  a  type  variable,  it  returns  the  corresponding  type  from  the 
environment.  This  method  has  several  disadvantages. 

•  It  is  not  fully  reflexive,  since  it  does  not  allow  analysis  of 
all  quantified  types — their  analysis  is  restricted  to  types  with 
quantification  only  over  variables  of  kind  13. 

•  The  technique  is  “limited  to  parametrically  polymorphic 
functions,  and  cannot  account  for  functions  that  perform  in- 
tensional  type  analysis”  [1,  Section  4.1].  For  example  poly¬ 
morphic  types  such  as  Va  :  13.  Typerec  a  of  .  .  .  are  not  ana- 
lyzable  in  their  framework. 

•  The  correctness  of  the  structure  of  a  type  encoded  using  de- 
Bruijn  notation  cannot  be  verified  by  the  kind  language  (in¬ 
dices  not  corresponding  to  bound  variables  go  undetected,  so 
the  environment  must  provide  a  default  type  for  them),  which 
does  not  break  the  type  soundness  but  opens  the  door  for  pro¬ 
grammer  mistakes. 

To  account  for  non-parametrically  polymorphic  functions,  we 
must  analyze  the  quantified  type  variable.  Moreover,  we  want 
to  have  confluence  of  the  type  language,  so  /3-reduction  should  be 
transparent  to  the  iterator.  This  is  possible  only  if  the  analysis  gets 
suspended  when  it  reaches  a  type  variable,  or  its  application,  of 
kind  13,  and  resumes  when  the  variable  gets  substituted.  Therefore, 
we  consider  (Typerec  a  of  . . .)  to  be  a  normal  form.  For  example, 
the  result  of  analyzing  the  body  (a  — >  int)  of  the  polymorphic  type 
Va :  k.  a  — >  int  is 

Typerec  (a  — ►  int)  of  (Tint;  t_»;  tv) 

T— *  a  int  (Typerec  a  of  (7int;  t^;  7v))  (nnt) 

We  formalize  the  analysis  of  quantified  types  when  we  present  the 
type  reduction  rules  of  the  Typerec  construct  (Figure  5). 

The  other  problem  is  to  analyze  quantified  types  when  the  quan¬ 
tified  variable  can  be  of  an  arbitrary  kind.  In  our  language  the  so¬ 
lution  is  similar  at  both  the  type  and  the  term  levels:  we  use  kind 
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polymorphism!  We  introduce  kind  abstractions  at  the  type  level 
(Ax-  t)  and  at  the  term  level  (A  x-  e ) to  bind  the  kind  of  the  quan¬ 
tified  variable.  (See  Section  3  for  details.) 

Kind  polymorphism  also  ensures  the  termination  of  the 
Typerec  constructor.  Consider  again  the  analysis  of  the  polymor¬ 
phic  type: 

Typerec  (V  r)  of  (rint;  t_>;  tv) 

rv  t  (Aa:  fl.  Typerec  ra  of  (rim;  t_>;  tv)) 

Informally,  we  must  ensure  that  the  type  being  analyzed  decreases 
in  size  at  every  iteration.  That  is  ra  is  smaller  than  Vr.  (Note  that 
the  previous  non-terminating  example  violates  this  requirement). 
This  will  be  true  if  we  can  ensure  that  a  is  always  substituted  by  a 
single  variable.  Therefore,  we  make  the  kind  of  a  abstract  by  using 
kind  polymorphism;  a  now  has  the  kind  bound  in  the  rv  branch. 
The  only  way  to  construct  another  type  of  this  kind  is  to  bind  a 
type  variable  of  the  same  kind  in  the  rv  branch.  This  ensures  that 
a  can  only  be  substituted  by  another  type  variable. 

It  is  important  to  note  that  our  language  provides  no  facilities 
for  kind  analysis.  Analyzing  the  kind  k  of  the  bound  variable  a 
in  the  type  V  (Act  :  k.  t )  would  let  us  synthesize  a  type  argument 
of  the  same  kind,  for  every  kind  k.  The  synthesized  type  can  then 
be  used  in  the  style  of  the  non-termination  example  of  the  previous 
section.  Intuitively,  we  would  not  be  able  to  guarantee  that  the  type 
being  analyzed  decreases  at  every  step. 

The  rest  of  the  paper  is  organized  as  follows.  Section  3  de¬ 
scribes  the  language  A f  supporting  analysis  of  polymorphic  and 
existential  types.  Section  4  presents  the  language  Xf  that  also  in¬ 
cludes  support  for  analysis  of  recursive  types.  Section  5  shows  a 
translation  into  a  language  with  type  erasure  semantics. 

3  Analyzing  polymorphic  types 

In  the  impredicative  Fw  calculus,  the  polymorphic  types  Va  :  k.  t 
can  be  viewed  as  generated  by  an  infinite  set  of  type  constructors 
VK  of  kind  (k  — >  fi)  — >  fi,  one  for  each  kind  k.  The  type  Va :  k.  t 
is  then  represented  as  Vre  (Aa  -.k.t).  The  kinds  of  constructors  that 
can  generate  types  of  kind  fi  then  would  be 


int 

fi 

— » 

fi  ->  fi  ->  fi 

Vn 

(fi  ->  fi)  ->•  fi 

VK 

(k  — *  fi)  — >  fi 

We  can  avoid  the  infinite  number  of  Vre  constructors  by  defining  a 
single  constructor  V  of  polymorphic  kind  Vx-  (x  ~ ~ ^  and 
then  instantiating  it  to  a  specific  kind  before  forming  polymorphic 
types.  More  importantly,  this  technique  also  removes  the  negative 
occurrence  of  fi  from  the  kind  of  the  argument  of  the  constructor 
Vn.  Hence  in  our  A f  calculus  we  extend  Fw  with  polymorphic 
kinds  and  add  a  type  constant  V  of  kind  Vx-  (x  ~ ~ ^  to  the 
type  language.  The  polymorphic  type  Va  :  k.t  is  now  represented 
as  V  [k]  (Aa  \k.  t). 

We  define  the  syntax  of  the  A  f  calculus  in  Figure  2,  and  some 
derived  forms  of  types  in  Figure  3.  The  static  semantics  of  A f  is 
shown  in  Figures  4  and  5  as  a  set  of  rules  for  judgements  using  the 
following  environments: 

kind  environment  £  ::=  e  \  £,x 

type  environment  A  ::=  e  |  A,  or.K 

term  environment  T  ::=  £  |  F,i:t 


(kinds)  k  ::=  fi  \  k  — +  k'  \  x  Vx-  /t 

(types)  t  ::  =  int  |  — »  |  V  |  V 

|  a  |  Ax-  t  |  Aa :  k.  t  \  t[k ]  \  tt' 
Typerec[h-.]  r  of  (Tint;  t_^;  rv;  Tyf) 

(values)  v  ::=  i  |  A  x-  e  |  Aa:/t.  e  |  A x:r.e  |  fi xx:t.v 

(terms)  e  ::=  v  |  x  |  e  [k]+  |  e  [r]  |  ee' 

typecase[r]  r'  of  (eint;  e^;  ev;  e^t-) 

Figure  2:  Syntax  of  the  A  f  language 

T  *  T  =  ((^f)  t)  T 
\/a:K.  t  =  (V  [ft])  (A a:fi.  r) 

V+X-  T  =  V+  (Ax-  t) 

Figure  3:  Syntactic  sugar  for  A  f  types 


The  Typerec  operator  analyzes  polymorphic  types  with  bound  vari¬ 
ables  of  arbitrary  kind.  The  corresponding  branch  of  the  operator 
must  bind  the  kind  of  the  quantified  type  variable;  for  that  purpose 
the  language  provides  kind  abstraction  (Ay.  t)  and  kind  application 
(t  [fi])  at  the  type  level.  The  formation  rules  for  these  constructs, 
excerpted  from  Figure  4,  are 

f,X;Ahr  :  fi  £;Ahr:Vx-fi  £  V  fi' 

f;Ah  Ax-  T  :  Vx-  fi  £;  A  h  r  [fi']  :  fijfiVx} 

Similarly,  while  analyzing  a  polymorphic  type,  the  term-level  con¬ 
struct  typecase  must  bind  the  kind  of  the  quantified  type  variable. 
Therefore,  we  introduce  kind  abstraction  (A  x-  e)  and  kind  appli¬ 
cation  (e  [fi]  )  at  the  term  level.  To  type  the  term-level  kind  abstrac¬ 
tion,  we  need  a  type  construct  V  X".  T  that  binds  the  kind  variable  x 
in  the  type  r.  The  formation  rules  are  shown  below. 

£,  x;  A;  T  h  v  :  r  £\  A;  T  h  e  :  V+x.  r  £  h  fi 

£■  A;T  h  A+x.u  :  V+x.  r  f;  A;  T  h  e  [fif  :  r{fi/x} 

However,  since  our  goal  is  fully  reflexive  type  analysis,  we  need 
to  analyze  kind-polymorphic  types  as  well.  As  with  polymorphic 
types,  we  can  represent  the  type  V  x-  T  as  the  application  of  a  type 
constructor  V  of  kind  (Vx-  fi)  — >  to  a  kind  abstraction  Ay.  r. 
Thus  the  kinds  of  the  constructors  for  types  of  kind  fi  are 

int  :  fi 

— *  :  fi  — >  fi  — >  fi 

V  :  Vx.(x^fi)^fi 

V+  :  (Vx-  fi)  ^  fi 

None  of  these  constructors’  arguments  have  the  kind  fi  in  a  negative 
position;  hence  the  kind  fi  can  now  be  defined  inductively  in  terms 
of  these  constructors.  The  Typerec  construct  is  then  the  iterator 
over  this  kind.  The  formation  rule  for  Typerec  follows  naturally 
from  the  type  reduction  rules  (Figure  5).  Depending  on  the  head 
constructor  of  the  type  being  analyzed,  Typerec  chooses  one  of  the 
branches.  At  the  int  type,  it  returns  the  Tint  branch.  At  the  function 
type  t  — >  t\  it  applies  the  t^  branch  to  the  components  t  and  t' 
and  to  the  result  of  the  iteration  over  t  and  r  . 
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Kind  formation  £  b  tt 


£  b  tt  £\ -  tt'  £,xb/t 
£  ■•-■  <>  £  •  -  x  f  h  k  -t  k1  £  h  Vx-  tt 


Type  environment  formation  £  b  A 

£  b  A  £  b  tt 
f  be  £  b  A,  a :  tt 


Type  formation  £ ;  A  b  r  :  tt 
£  b  A 

£;  A  b  int  :  Q 

£;  A  b  (-»)  :  Q  ->  £1  ->  Q  f  h  A  a:/tinA 

£;  A  b  V  :  V\y  (\;  — >  <>)  — »  <2  £;  A  b  a  :  tt 

£;  A  b  V+  :  (Vx-  0)  -+  ft 

£,  X;  A  b  r  :  tt  £;  A  b  r  :  Vx-  tt  £  b  tt' 

£;  A  b  Ax- r  :  Vx- k  £;Abr[t:']  :  tt{tt'/x} 

£;  A,  a :  tt  b  r  :  tt'  £;  A  b  t  :  k1  ^  tt  £;Abr  :  s’ 
£;  A  b  Aa :  tt.  t  :  tt  — >  tt'  £;Abrr  :  tt 

£;  A  b  r  :  ft 

£;  A  b  Tint  :  tt 

£ ;  A  b  T-f  :  r2  — >  — >  tt  — >  tt  — >  tt 

£;  A  b  rv  :  Vx-  (x  -*■  fi)  (x  ->  «)  « 

£;  A  b  Tyf  :  (Vx-  ft)  -*•  (Vx-  tc)  t  tt 

£;  A  b  Typerec[tt]  r  of  (tint;  r_v;  rv;  r/-)  :  tt 


Term  environment  formation  £;  A  b  F 

£  b  A  £;  A  b  T  £;  A  b  r  :  ft 
£;  A  b  e  £;Abr,i:r 


Term  formation  £;  A;  T  b  e  :  r 

£;  A;  T  b  e  :  r  £;  A  b  r  r'  :  ft  £;  A  b  T 

£;A;Tbe  :  r  £;  A;T  b  t  :  int 

£;  A  b  T  x\r'mY  ^  AS  Ai  T  b  t)  :  r 

£;  A;T  b  x  :  t  £;  A;  V  b  A+x.  v  :  V+X-  r 

£;  A,  a:tt;  T  b  v  :  r  £;A;f,i:rbe  :  r' 

£;  A;  T  b  Aa:tt.  v  :  Vcck.t  £;  A;  T  b  Ax:r.  e  :  r  — >  r' 

£;A;F,i:rb«  :  r 

r  =  V  x i  -  -  -Xn- Vai  :tci  . .  .am:ttm  :n  — >  T2- 
n  >  0,  m  >  0 

£;  A;  T  b  fixx:r.  v  :  r 

£;  A;  T  b  e  :  V+r  £b/c 
£;  A;  T  b  e  [tt]+  :  r  [tt] 

£;  A;  T  b  e  :  V  [tt]  r  £;  A  b  r'  :  tt 
£;  A;  T  b  e  ]r']  :  tt' 

£;  A;T  b  e  :  r'  ->  r  £;  A;  T  b  e'  :  r' 

£;  A;  T  b  ee'  :  r 

£;  A  b  r  :  ft  — >  ft 
£;  A  b  r'  :  ft 
£;  A;  T  b  eint  :  r  int 

£;  A;  T  b  :  Va :  ft.  Va' :  SI  r  (a  ->■  a') 

£;  A;  T  b  ev  :  V+x.Va:x^  ^-t(V[x]«) 

£;  A;  T  b  eyf  :  Va:  (Vx-  ft).  r  (V+a) 

£;  A;T  b  typecase[r]  r'  of  (eint;  e^;  ev;  e^)  :  tt' 


Figure  4:  Formation  rules  of  Af 


Type  reduction  £;Abn~tT2  :  tt 

£;  A,  ot : tt'  b  r  :  tt  £;Abr  :  tt' 

£;  A  b  (Aa :  tt'.  r)  r'  r{r'/a}  :  tt 

£,  X;  A  b  r  :  Vx-  tt  £b/>' 

f ; A  v  (Ax-  t)  [«']  t{«'/x}  :  «{«'/x} 

£;  A  b  r  :  /t  — >  tt'  a  £  ftv(r) 
£;AbAa:c.raMr  :  tt  — >  tt' 

£;  A  b  r  :  Vx'.k  X  $  fkv (r ) 

£;  A  b  Ax-  r  [x]  r  :  Vx'-  tt 


£;  A  b  Typerec[tt]  int  of  (rnt;  r_»;  rv;  ryf)  :  tt 

£;  A  b  Typerec[tt]  int  of  (rint;  r_>;  rv;  ryf)  rint  :  tt 

£;  A  b  Typerec[tt]  n  of  (tint;  r^;  rv;  r^)  r[  :  tt 

£;  A  b  Typerec[tt]  r2  of  (rint;  r^;  rv;  r^)  r2  :  tt 

£;  A  b  Typerec[tt]  ((— »)  n  r2)  of  (rint;  r_v;  rv;  r^)  r^  n  r2  r(  r2  :  tt 

£;  A,  a:tt' b  Typerec[tt]  (r  a)  of  (rint;  r^;  rv;  r^f)  r'  :  tt 

£;  A  b  Typerec[tt]  (V  [tt']  r)  of  (rint;  r_;  rv;  r^-) 
rv  [tt']  r  (Aa :  ft',  r')  :  tt 

£,  X;  A  V  Typerec[tt]  (r  [x])  of  (rint;  r^;  tv;  r^)  r'  :  / 1 
£;  A  b  Typerec[tt]  (V+  r)  of  (rint;  r_^;  rv;  r^-)  r^  r  (Ax-  r')  :  tt 


Figure  5:  Selected  A f  type  reduction  rules 
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When  analyzing  a  polymorphic  type,  the  reduction  rule  is 

Typerec[h-.]  (Vcc/t'.r)  of  (rint;  r_^;  rv;  rv+) 

Ty  [k1]  (\a :  k' .  t)  (Aa :  re'.  Typerec[«]  t  of  (Tint;  t_^;  rv;  tv+)) 

Thus  the  V-branch  of  Typerec  receives  as  arguments  the  kind  of 
the  bound  variable,  the  abstraction  representing  the  quantified  type, 
and  a  type  function  encapsulating  the  result  of  the  iteration  on  the 
body  of  the  quantified  type.  Since  rv  must  be  parametric  in  the  kind 
k'  (there  are  no  facilities  for  kind  analysis  in  the  language),  it  can 
only  apply  its  second  and  third  arguments  to  locally  introduced  type 
variables  of  kind  k  .  We  believe  this  restriction,  which  is  crucial 
for  preserving  strong  normalization  of  the  type  language,  is  quite 
reasonable  in  practice.  For  instance  rv  can  yield  a  quantified  type 
based  on  the  result  of  the  iteration. 

The  reduction  rule  for  analyzing  a  kind-polymorphic  type  is 

Typerec[rc]  (V  X-f)  of  (rint;  r^;  rv;  rv f) 
v  (Ax-  t)  (Ax-  Typerec[ft]  r  of  (nnt;  r^;  tv;  r^)) 

The  arguments  of  the  ta-  are  the  kind  abstraction  underlying  the 
kind-polymorphic  type  and  a  kind  abstraction  encapsulating  the  re¬ 
sult  of  the  iteration  on  the  body  of  the  quantified  type. 

For  ease  of  presentation,  we  will  use  ML-style  pattern  matching 
syntax  to  define  a  type  involving  Typerec.  Instead  of 

r  =  Aa:fk  Typerec[«]  a  of  (r^t;  rw;  rv;  ry+) 
where  t_>  =  Aai :  Q.  Aa2  :  fi.  \a\  :  k.  Xa2  :  k.  tA 
tv  =  A\'.  Aa :  x  — >  H.  Aa' :  x  — »  K-  fy 
V  =  Aa :  (Vx-  0).  A  a' :  (Vx-  «)■  t^_ 

we  will  write 


r  (int) 

—  7"int 

r  (ai  — >  <22) 

=  tL{t  (ai),T  (a2)/ai,a2} 

r(V  [x]  ai) 

=  Tv(Aa :  x-  t  (ai  a)/ a'} 

r  (V+  ai) 

=  v(Ax-r(ai  [x])/a'} 

To  illustrate  the  type-level  analysis  we  will  use  the  Typerec  opera¬ 
tor  to  define  the  class  of  types  admitting  equality  comparisons.  To 
make  the  example  non-trivial  we  extend  the  language  with  a  prod¬ 
uct  type  constructor  x  of  the  same  kind  as  — and  with  existential 
types  with  type  constructor  3  of  kind  identical  to  that  of  V,  writing 
3 cr.K.T  for  3  [k]  (Aa :  k.  r).  Correspondingly  we  extend  Typerec 
with  a  product  branch  rx  and  an  existential  branch  rg  which  be¬ 
have  in  exactly  the  same  way  as  the  t_>  branch  and  the  rv  branch 
respectively.  We  will  use  Bool  instead  of  int. 

A  polymorphic  function  eq  comparing  two  objects  for  equality 
is  not  defined  on  values  of  function  or  polymorphic  types.  We  can 
enforce  this  restriction  statically  if  we  define  a  type  operator  Eq  of 
kind  fi  — >  n,  which  maps  function  and  polymorphic  types  to  the 
type  Void  =  Va  :  ft.  a  (a  type  with  no  values),  and  require  the 
arguments  of  eq  to  be  of  type  Eq  r  for  some  type  r.  Thus,  given 
any  type  r,  the  function  Eq  serves  to  verify  that  a  non-equality  type 
does  not  occur  inside  r. 

Eq  (Bool)  =  Bool 

Eq  (ai  — >  a2)  =  Void 

Eq(aixa2)  =  Eq  (ai)  x  Eq  (<*2) 

Eq  (V  [x]  a)  =  Void 

Eq  (V+  a)  =  Void 

Eq  (3  [x]  a)  =  3[x](Aai:x-Eq(aai)) 

The  property  is  enforced  even  on  hidden  types  in  an  existentially 
typed  package  by  the  reduction  rule  for  Typerec  which  suspends 


(Aa r.T.  e)  e{v/x}  (fix a ;  :r.  v)  (vjfixa; :  r.  v/x})  v' 

(Aa:  k.  v)[t]  u{r/a}  (fixaxr.  v)[r]  (u{fixx:r.  v/x})[t] 

(A+x-  v)[nf  ^av{k/x}  (fix a ::t.  v)[k]+~>  (v{fixa;:T.  u/a:})[«;]+ 

e  e'  e  e'  e  e!  e  e 

eei~>e' ei  e[r]  e'[r]  e[nf  e'[nf 

typecase[r]  int  of  (eint;  e^;  ev;  e^f)  eint 

typecase[r]  (n  — >  r2)  of  (eint;  e^;  ev;  e^f)  e _  [n]  [r2] 

typecase[r]  (V  [ft]  r)  of  (eint;  e^;  ev;  ev+)  ev  [ft]+  [r] 

typecase[r]  (V+r)  of  (eint;  e^;  ev;  e^f)  e^y  [r] 

qehf  v' : SI  v'  is  a  normal  form 

typecase[r]  t'  of  (eint;  e^;  ev;  e^) 

typecase[r]  v'  of  (eint;  e^;  ev;  e^y) 

Figure  6:  Operational  semantics  of  A f 


its  action  on  normal  forms  with  variable  head.  For  instance  a  term 
e  can  only  be  given  type 

Eq  (3a :  O.  a  x  a)  =  3a :  Q.  Eq  a  x  Eq  a 

if  it  can  be  shown  that  e  is  a  pair  of  terms  of  type  Eq  r  for  some 
r,  i.e.,  terms  of  equality  type.  Note  that  Eq  ((Bool  — >  Bool)  x 
(Bool  — >  Bool))  reduces  to  (Void  x  Void);  a  more  complicated 
definition  is  necessary  to  map  this  type  to  Void. 

At  the  term  level  type  analysis  is  carried  out  by  the  typecase 
construct;  however,  it  is  not  iterative  since  the  term  language  has  a 
recursion  primitive,  fix.  The  ev  branch  of  typecase  binds  the  kind 
and  the  type  abstraction  carried  by  the  type  constructor  V,  while  the 
e v+  branch  binds  the  kind  abstraction  carried  by  V  . 

typecase[r]  (V  [ft]  r')  of  (eint;  e—\  ev;  e^)  ev  [ft]+  [r'] 

typecase[r]  (V  r')  of  (eint;  e^;  ev;  e^y)  ^  e^  [r'] 

The  operational  semantics  of  the  term  language  of  A  f  is  presented 
in  Figure  6. 

The  language  A f  has  the  following  important  properties  (for 
detailed  proofs,  see  Appendix  B). 

Theorem  3.1  Reduction  of  well-formed  types  is  strongly  normal¬ 
izing. 

We  prove  strong  normalization  of  the  type  language  following 
Girard’s  method  of  candidates  [6],  using  his  definition  of  a  candi¬ 
date.  The  standard  set  of  neutral  types  is  extended  to  include  types 
constructed  by  Typerec.  We  define  f?n  as  the  set  of  types  r  of 
kind  fl  such  that  the  type  Typerec[rc]  r  of  (nnt;  rv;  n +)  be¬ 
longs  to  a  candidate  for  kind  k  whenever  the  branches  belong  to 
candidates  of  the  corresponding  kinds  from  the  Typerec  formation 
rule.  We  then  prove  that  this  set  is  a  candidate.  Next  we  define 
the  set  SK  [C /x]  of  types  of  kind  k  (for  given  candidates  C  corre¬ 
sponding  to  the  free  kind  variables  x  of  «),  equal  to  f?n  for  kind 
fi,  and  defined  inductively  as  in  [6]  for  function,  polymorphic,  and 
variable  kinds.  We  show  that  <Sre[C/x]  is  a  candidate.  Finally  we 
prove  that  S,  [C/x]  is  closed  under  substitution  of  types  for  free 
type  variables;  strong  normalization  is  an  immediate  corollary. 
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Theorem  3.2  Reduction  of  well-formed  types  is  confluent. 

Confluence  of  type  reduction  is  a  corollary  of  local  confluence, 
which  we  prove  by  case  analysis  of  the  type  reduction  relation  ('"'►)• 
We  consider  type  contexts  with  two  holes  and  show  that  the  reduc¬ 
tion  is  locally  confluent  in  each  case. 

We  say  that  a  term  e  is  stuck  if  e  is  not  a  value  and  e  e!  for 
no  term  e! . 

Theorem  3.3  (Soundness  of  A f  for  Type  Safety) 

If  e\  e;  their  and  e  e '  in  A  f,  then  e'  is  not  stuck. 

We  prove  soundness  of  the  system  using  a  contextual  semantics 
in  Wright/Felleisen  style  [27]  using  the  standard  progress,  subject 
reduction,  and  substitution  lemmas  as  well  as  the  confluence  and 
strong  normalization  properties  of  the  A f  type  system. 


3.1  Example:  Marshalling 


One  of  the  examples  that  Harper  and  Morrisett  [8]  use  to  illustrate 
the  power  of  intensional  type  analysis  is  based  on  the  extension  of 
ML  for  distributed  computing  proposed  by  Ohori  and  Kato  [15], 
The  idea  is  to  convert  values  into  a  form  which  can  be  used  for 
transmission  over  a  network.  An  integer  value  may  be  transmitted 
directly,  but  a  function  may  not;  instead,  a  globally  unique  identi¬ 
fier  is  transmitted  that  serves  as  a  proxy  at  the  remote  site.  These 
identifiers  are  associated  with  their  functions  by  a  name  server  that 
may  be  contacted  through  a  primitive  addressing  scheme.  The  re¬ 
mote  sites  use  the  identifiers  to  make  remote  calls  to  the  function. 
Harper  and  Morrisett  show  how  to  define  types  of  transmissible  val¬ 
ues  as  well  as  functions  for  marshalling  to  and  unmarshalling  from 
these  types  using  intensional  type  analysis.  However,  the  predica- 
tivity  of  their  calculus  prevents  them  from  handling  the  full  calculus 
of  Ohori  and  Kato,  which  also  includes  the  remote  representation 
of  polymorphic  functions  and  remote  type  application. 

In  A  f  marshalling  of  polymorphic  values  is  straightforward;  in 
fact  it  offers  more  flexibility  than  the  calculus  of  Ohori  and  Kato 
needs,  since  polymorphic  functions  become  first-class  values,  and 
polymorphic  types  can  be  used  in  remote  type  applications.  Adapt¬ 
ing  the  constructs  of  [8]  to  A f ,  we  introduce  a  type  constructor 
Id  :  T2  — s-  A  value  of  type  r  has  a  global  identifier  of  type  Id  r. 
The  Typerec  and  typecase  operators  are  extended  in  an  obvious 
way.  For  example,  the  following  type  reduction  relation  is  added: 

Typerec[tc]  (Id  r)  of  (rint;  tv;  tv f;  rId)  ^ 

Tid  t  (Typerec[/r]  rof(rint;  tv;  tv f;  rId )) 

The  type  of  the  remote  representation  of  values  of  type  r  is  Tran  r, 
defined  in  [8]  using  intensional  analysis  of  r.  Values  of  type  Tran  r 
do  not  contain  any  abstractions;  all  the  abstractions  are  wrapped 
inside  an  Id  constructor.  We  can  extend  the  Harper/Morrisett  defi¬ 
nition  of  Tran  to  handle  the  quantified  types  of  A f  as  follows: 


Tran  (int) 

Tran  (ai  — >  02) 
Tran  (V  [x]  a) 
Tran  (V+  a ) 

Tran  (Id  a ) 


int 

Id  (Tran  ai  — >  Tran  Q2) 

Id  (Va'  :x-  (Aai :  X-  Tran  (a«i))  a') 

Id  (V+  x'.  (Ax-  Tran  (a  [x]))  [x'D 

Id  a 


At  the  term  level  the  system  provides  primitives  for  creating  global 
identifiers  and  performing  remote  invocations:1 

newid  :  Vai :  12.  V«2  :  12.  (Tran  ai^Tran  «2)^Tran  (ai— >02) 
rapp  :  Vai :  12.  V«2  :  12.  Tran  (ai— >a2)^Tran  ai^Tran  a.2 
newpid  :  V  X-  Va:x~ >12-  (Va'  :x-  Tran  (aa'))-^Tran  (V  [x]  a) 
rtapp  :  V  \ .  Va  :  \  —  Q.  Tran  (V  [x]  a)  — >  Va'  :x-  Tran  (a  a') 

1  Ohori  and  Kato  [15]  define  one  primitive  for  creating  identifiers  for  both  term  and 
type  abstraction. 


For  completeness  in  our  system  we  also  need  to  handle  kind  poly¬ 
morphism  and  remote  kind  applications: 

newkid  :  Va:  (Vx- 12).  (V+X-  Tran  (a  [x]))  — +  Tran  (V+  a) 
rkapp  :  Va:  (Vx- 12).  Tran  (V+  a)  — *  V+X-  Tran  (a  [x]) 

Operationally,  the  newid ’s  take  a  function  between  transmissible 
values  and  generate  a  new,  globally  unique  identifier  and  tell  the 
name  server  to  associate  that  identifier  with  the  function  on  the  lo¬ 
cal  machine.  The  remote  applications  take  a  proxy  identifier  of 
a  remote  function  and  a  transmissible  argument  value.  The  name 
server  is  contacted  to  get  the  site  where  the  remote  value  exists; 
the  argument  is  sent  to  this  machine,  and  the  result  of  the  function 
transmitted  back  as  the  result  of  the  operation. 

Marshalling  and  unmarshalling  of  values  from  transmissible 
representations  are  performed  by  the  mutually  recursive  functions 
M  :  Va  :  12.  a  — >  Tran  a  and  U  :  Va  :  12.  Tran  a  — >  a.  They  are 
defined  below  by  a  pattern-matching  syntax  and  implicit  recursion 
instead  of  typecase  and  fix.  We  assume  that  a  type  or  a  kind  does 
not  need  to  be  transformed  in  order  to  be  transmitted. 


M  [int] 

=  Aa: :  int.  x 

M  [ai  — >  02] 

—  Ax:ai  — r  a2- 
newid  [ai]  [02] 

(Ax'  :Tran  ai.  M  [02]  ( x  (U  [ai]  x'))) 

M  [V  [x]  a] 

=  A*  :V  [x]  a. 

M  [V+  a] 

newpid  [x]+[a]  (Aa'  :x-  M  [a  a']  ( x  [a'])) 

=  A*:V+a.  newkid  [a]  (A+x>  M  [a  [x]]  ( x  [x]+)) 

M  [Id  a] 

=  Ax:  Id  a.  x 

U  [int] 

=  Ax :  Tran  (int).  x 

U  [ai  — >  af\ 

=  Ax :  Tran  (ai  — >  02).  Ax' :  ai . 

U  [a2]  (rapp  [ai]  [a2]  x  (M  [ai]  *')) 

U  [V  [x]  a] 

=  A*: Tran  (V  [\'[  a).  Aa'  :x- 

U  [V+  a] 

U  [a  a']  (rtapp  [x]  [a]  x  [a']) 

=  AaxTran  (V+  a).  A+x-  U  [a  [x]]  (rkapp  [a]  x  [x]+) 

U  [Ida] 

=  A* :  Tran  (Id  a),  x 

3.2  Example:  Polymorphic  equality 

Another  view  at  the  term-level  analysis  of  quantified  types  is  pro¬ 
vided  by  an  example  involving  the  comparison  of  values  of  exis¬ 
tential  type.  The  term  constructs  for  introduction  and  elimination 
of  existential  types  have  the  following  formation  rules. 

f;A;T  h  e  :  (\cr.K.  t)t' 

£]  A;  T  F  (a: ft  =  r' ,  e:r)  :  3a:  k.  t 

£■,  A;  r  h  e  :  31  [k]  t  £\  A  h  t'  :  12 
£ ;  A,  a :  k\  F,  x:t  a  F  e'  :  t' 

£ ;  A;  r  h  open  e  as  (a :  k,  x  :  r  a)  in  e'  :  r' 

The  polymorphic  equality  function  eq  is  defined  in  Figure  7  (we 
use  a  letrec  construct  derived  from  our  fix).  The  domain  type  of 
the  function  is  restricted  to  types  of  the  form  Eq  r  to  ensure  that 
only  values  of  types  admitting  equality  are  compared. 

Consider  the  two  packages  v  =  (a  :  12  =  Bool,  false  :  a)  and 
v'  =  (a  :  12  =  Bool  x  Bool,  (true,  true)  :  a).  Both  are  of  type 
3a :  12.  a,  which  makes  the  invocation  eq  [3a :  12.  a]  v  v'  legal.  But 
when  the  packages  are  open,  the  types  of  the  packaged  values  may 
(as  in  this  example)  turn  out  to  be  different.  Therefore  we  need  the 
auxiliary  function  heq  to  compare  values  of  possibly  different  types 
by  comparing  their  types  first.  The  function  corresponds  to  a  ma¬ 
trix  on  the  types  of  the  two  arguments,  where  the  diagonal  elements 
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letrec 

heq :  Va :  fl.  Va'  :  12.  Eq  a  — +  Eq  a'  — >  Bool 
=  Aa :  S2.  Aa ' :  12. 

typecase[A7 :  12.  Eq  7  — +  Eq  a'  — >  Bool]  a  of 
Bool  =7  Ax:  Bool. 

typecase[A7 :  12.  Eq7  — >  Bool]  a  of 
Bool  =7  Ay :  Bool.  primEqBooIxy 
=7  . .  .  false 

/3i  x  p2  =7  Ax :  Eq  /3i  x  Eq  /32  • 

typecase[A7 :  12.  Eq  7  — >  Bool]  a  of 

p[xp'2  =7  Ay :  Eq  /3[  x  Eq  p'2. 

heq  [/3i]  [/?(]  (x.l)  (y.l)  and 
heq  [/32]  [/3a]  (x.2)  (y.2) 

=7  . .  .  false 

3[x]/3=^  Ax:(3/3i:x.  Eq  (/3ft)). 

typecase[A7 :  12.  Eq  7  — >  Bool]  a'  of 
3[X']  /3'^Ay:(3/3i:x'-Eq  (/3'/3j)). 

open  x  as  (/3i  :x,  xc:  Eq  (/3 /3i ))  in 
open  y  as  (/3(  :x',  yc:Eq  (/3'/3]))  in 
heq  [/3/3i]  [/?'  /3[]  xc  yc 
=7  . .  .  false 

in  let  eq  =  Aq  : 12.  Ax:  Eq  a.  Ay:  Eq  a.  heq  [a]  [a]  xy 

in  . . . 


Figure  7:  Polymorphic  equality  in  A f 


compare  recursively  the  constituent  values,  while  off-diagonal  ele¬ 
ments  return  false  and  are  abbreviated  in  the  figure. 

The  only  interesting  case  is  that  of  values  of  an  existential  type. 
Opening  the  packages  provides  access  to  the  witness  types  /3i  and 
(3[  of  the  arguments  x  and  y.  As  shown  in  the  typing  rules,  the  ac¬ 
tual  types  of  the  packaged  values,  x  and  y,  are  obtained  by  applying 
the  corresponding  type  functions  /3  and  /?'  to  the  respective  wit¬ 
ness  types.  This  yields  a  perhaps  unexpected  semantics  of  equality. 
Consider  this  invocation  of  the  eq  function  which  evaluates  to  true: 

eq  [3a :  12.  a ] 

(a :  12  =  3/3 : 12.  /3,  (/3: 12  =  Bool,  true :  Eq  0) :  Eq  a) 

(a :  12  =  3/3 : 12  — >  12.  /3  Bool, 

(/3 :  12  — >  12  =  A7 : 12. 7,  true :  Eq  (/3  Bool)) :  Eq  a) 

At  runtime,  after  the  two  packages  are  opened,  the  call  to  heq  is 

heq  [3/3 :  12.  /3]  [3/3:12  -r  12. /3  Bool] 

(/3:12  =  Bool,  true:Eq/3) 

(/3 : 12  — >  12  =  A7: 12. 7,  true :  Eq  (/3  Bool)) 

This  term  evaluates  to  true  even  though  the  type  arguments  are 
different.  The  reason  is  that  what  is  being  compared  are  the  actual 
types  of  the  values  before  hiding  their  witness  types.  Tracing  the 
reduction  of  this  term  to  the  recursive  call  heq  [/3  /3i]  [/ 3 '  /3[]  xc  yc 
we  find  out  it  is  instantiated  to 

heq  [(A/3 :  12.  /3)  Bool]  [(A/3  :Q  —>  fl.  [3  Bool)  (A7 :  12.  7)]  true  true 

which  reduces  to  heq  [Bool]  [Bool]  true  true  and  thus  to  true. 

However  this  result  is  justified,  since  the  above  two  packages 
of  type  3 a  :  12.  a  will  indeed  behave  identically  in  all  contexts. 
An  informal  argument  in  support  of  this  claim  is  that  the  most  any 
context  could  do  with  such  a  package  is  open  it  and  inspect  the  type 
of  its  value  using  typecase,  but  this  will  only  provide  access  to  a 
type  function  r  representing  the  inner  existential  type.  Since  the 
kind  k  of  the  domain  of  t  is  unknown  statically,  the  only  non-trivial 


operation  on  r  is  its  application  to  the  witness  type  of  the  package, 
which  is  the  only  available  type  of  kind  k.  As  we  saw  above,  this 
operation  will  produce  the  same  result  (namely  Bool )  in  both  cases. 
Thus,  since  the  two  arguments  to  eq  are  indistinguishable  by  A f 
contexts,  the  above  result  is  perfectly  sensible, 

3.3  Discussion 

Before  we  move  on,  it  would  be  worthwhile  to  analyze  the  A  f  lan¬ 
guage.  Specifically,  what  is  the  price  in  terms  of  complexity  of 
the  type  theory  that  can  be  attributed  to  the  requirements  that  we 
imposed? 

In  Section  2.3  we  saw  that  an  iterative  type  operator  is  essen¬ 
tial  to  typechecking  many  type-directed  operations.  Even  when  re¬ 
stricted  to  compiling  ML  we  still  have  to  consider  analysis  of  poly¬ 
morphic  types  of  the  form  Va  :  12.  r,  and  their  ad  hoc  inclusion  in 
kind  12  makes  the  latter  non-inductive.  Therefore,  even  for  this  sim¬ 
ple  case,  we  need  kind  polymorphism  in  an  essential  way  to  handle 
the  negative  occurrence  of  12  in  the  domain  of  V.  In  turn,  kind 
polymorphism  allows  us  to  analyze  at  the  type  level  types  quanti¬ 
fied  over  any  kind;  hence  the  extra  expressiveness  comes  for  free. 
Moreover,  adding  kind  polymorphism  does  not  entail  any  heavy 
type-theoretic  machinery — the  kind  and  type  language  of  A f  is  a 
minor  extension  (with  primitive  recursion)  of  the  well-studied  cal¬ 
culus  F2;  we  use  the  basic  techniques  developed  for  F2  [6]  to  prove 
properties  of  our  type  language. 

The  kind  polymorphism  of  A f  is  parametric,  i.e.,  kind  analysis 
is  not  possible.  This  property  prevents  in  particular  the  construction 
of  non-terminating  types  based  on  variants  of  Girard’s  J  operator 
using  a  kind-comparing  operator  [7], 

For  analysis  of  quantified  types  at  the  term  level  we  have  the 
new  construct  A  x-  e.  This  does  not  result  in  any  additional  com¬ 
plexity  at  the  type  level — although  we  introduce  a  new  type  con¬ 
structor  V ,  the  kind  of  this  construct  is  defined  completely  by  the 
original  kind  calculus,  and  the  kind  and  type  calculus  is  still  es¬ 
sentially  F2.  The  term  calculus  becomes  an  extension  of  Girard’s 
XU  calculus  [5],  hence  it  is  not  normalizing;  however  it  already 
includes  the  general  recursion  construct  fix,  necessary  in  a  realistic 
programming  language. 

Restricting  the  type  analysis  at  the  term  level  to  a  finite  set  of 
kinds  would  help  avoid  the  term-level  kind  abstraction.  However, 
even  in  this  case,  we  would  still  need  kind  abstraction  to  implement 
a  type  erasure  semantics,  which  can  simplify  certain  phases  of  the 
compiler  (Section  5).  On  the  other  hand,  having  kind  abstraction  at 
the  term  level  of  A f  adds  no  complications  to  the  transition  to  type 
erasure  semantics. 

4  Analyzing  recursive  types 

Next  we  turn  our  attention  to  the  problem  of  analyzing  recursive 
types.  Following  the  general  scheme  described  in  the  previous  sec¬ 
tion,  we  need  to  introduce  a  type  constructor  p  yielding  a  type  iso¬ 
morphic  to  the  least  fixpoint  of  a  given  type  function.  Since  the 
types  we  analyze  are  of  kind  12,  the  kind  of  p  of  interest  is 

p  :  (S3  — ^  T2)  — >■  L2 

Unfortunately  there  is  a  negative  occurrence  of  12  in  the  domain 
of  this  kind,  which — as  it  was  with  universally-quantified  types  in 
Section  3 — prevents  defining  an  iterator  over  this  kind  while  main¬ 
taining  strong  normalization  of  the  type  language.  In  the  case  of 
quantified  types  we  were  able  to  resolve  this  problem  by  general¬ 
izing  the  negative  occurrence  of  fl  to  an  arbitrary  kind;  however 
such  an  approach  is  doomed  in  the  case  of  recursive  types  since  the 
argument  of  p  must  have  identical  domain  and  range. 
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One  possibility  is  to  follow  the  approach  outlined  by  Crary  and 
Weirich  in  [1]  for  quantified  types;  since  type  variables  bound  by 
the  fixpoint  operator  must  be  of  kind  fl,  an  environment  can  be 
used  to  map  them  to  types  of  kind  fl  without  kind  mismatches. 
While  plausible  and  perhaps  efficient,  this  approach  (as  pointed  out 
in  Section  2.4)  gives  no  protection  against  some  programming  er¬ 
rors.  and  it  is  unclear  how  to  combine  it  with  A f . 

4.1  A  restricted  Typerec 

To  handle  recursive  types,  we  introduce  a  new  constructor  Place 
that  acts  as  the  right  inverse  of  the  Typerec.  We  will  first  give  an 
informal  explanation  of  how  the  Place  constructor  is  used  in  our 
solution  by  considering  a  restricted  form  of  the  Typerec.  This  ap¬ 
proach  does  not  guarantee  termination;  we  use  it  to  ease  the  pre¬ 
sentation  of  the  Xf  calculus. 

Consider  the  iteration  Typerec[I2]  r  of  (Tint;  t^;  tv;  tv+;  tm) 
in  the  case  when  r  is  a  recursive  type,  say  p  (Aa  :  fl.  int  — >  a).  In 
many  cases,  the  desired  result  will  be  another  recursive  type,  say 
p  (Aa  :  fl.  t')  where  t'  is  the  result  of  analyzing  the  body.  If  we 
followed  the  approach  we  used  in  the  case  of  polymorphic  types 
(i.e.,  if  the  iterator's  action  on  the  type  variable  is  suspended  until 
the  variable  is  replaced  by  a  type  upon  unfolding  the  fixpoint),  then 
the  result  would  be: 

p  (Aa :  fl.  t int  a  Tint  (Typerec[fi]  a  of  . . .)) 

In  this  case,  the  iterator  ends  up  being  applied  n  times  to  the  nth 
unfolding  of  the  fixpoint,  which  does  not  correspond  to  the  de¬ 
sired  fixpoint.  Instead  the  iterator  must  be  applied  to  the  body  of 
the  type  function,  but — in  contrast  with  the  behavior  in  the  case 
of  a  quantified  type — the  iterator  should  disappear  when  applied 
to  the  type  variable  a.  Since  the  fixpoint  notation  represents  a 
type  isomorphic  to  an  infinite  unfolding  of  the  body,  the  traver¬ 
sal  of  the  entire  infinite  tree  is  complete  with  one  iteration  over 
the  body.  In  other  words  the  iterator  must  satisfy  an  equation  like 
Typerec[fl]  a  of  .  . .  =  a  so  that  the  result  of  analyzing  the  body 
is  Aa :  fl.  t int  a  Tint  a. 

Therefore,  we  need  to  distinguish  between  type  variables  bound 
by  a  polymorphic  or  existential  quantifier  and  those  bound  in  a  re¬ 
cursive  type.  This  reasoning  leads  us  to  a  solution  based  on  the 
work  of  Fegaras  and  Sheard  on  catamorphisms  over  non-inductive 
datatypes  [4],  The  main  idea  is  to  introduce  an  auxiliary  type  con¬ 
structor  Place  of  kind  fl  — >  fl  which  is  the  right  inverse  of  the 
iterator,  i.e.,  it  holds  that 

Typerecffi]  (Placer)  of  (Tint;  t_^;  tv;  V-;  rM)  r 

The  iterator  processes  the  body  of  a  recursive  type  with  the  p-bound 
type  variable  protected  under  Place.  While  processing  the  body,  the 
iterator  eventually  reduces  to  instances  of  the  form 

Typerec[fi]  (Place  a)  of  . . . , 

which  reduce  to  a.  The  reduction  rule  for  the  iterator  over  a  recur¬ 
sive  type  is 

Typerec[fi]  (p  t')  of  (Tint;  t_;  rv;  r^;  rM) 

t 

(Aa :  fl.  Typerecpl]  (t  (Place  a))  of  (rjnt;  t_;  rv;  ry+;  rM)) 

4.2  The  general  case 

The  previous  approach  does  not  generalize  to  the  case  when  the 
result  of  the  Typerec  may  be  of  an  arbitrary  kind.  In  the  general 


(kinds)  k 
(types)  t 

(values)  v 
(terms)  e 


X  |  t]«  |  k  — ►  |  Vx-  k 

a  |  int  |  -4>  |  V  |  V+  |  p  Place 

Aa :  k.  t  |  t  t'  |  Ay.  r  |  t[k] 

Typerec[ri]  r  of  (rint;  T->;  rv;  tv r;  rM) 

i  |  A+x-  v  |  Aa:K.v  |  A x-.r.e  |  fixxir.  v 
fold  v  as  t 

v  |  x  |  e  [rt]+  |  e  [t]  |  e  e' 

fold  e  as  t  |  unfold  e  as  r 
typecase[r]  r'  of  (eint;  e^;  ev;  ev+;  eM) 

Figure  8:  The  A  f  language 


^  =  Vx-tlX 

t$t'  =  Ax-  r  [x]  (t  [x])  for  x  $  fkv(r)  U  fkv(r') 

T  — >  T  =  (— »)  T  T 

Ma:K.T  =  V  [«]  (Aa :  k.  t) 

V+X-  T  =  V+  (Ax-  t) 

(—*) :  fi  — >  fi  — >  fi  =  Aa :  fl.  Aa' :  fl.  ((-4t)$a)$a/ 

V  :Vx-  (x~>  fi)  ^  =  Ax- Aa:x->  ^-Ax'- 

V[X']  Lx]  (A a':x-aa'  [x'D 
V+  :  (Vx-  n)  -r  n  =  Aa :  (Vx-  n).  Ax'. 

V+[x']  (Ax.  a  Lx]  [x'D 

p  :(Vx-  t|X  ~ tlx)  —>  =  Aa:(Vx-  t|X  t|x)- 

Figure  9:  Syntactic  sugar  for  A^ 


case,  the  type  reductions  are: 

Typerec[«]  (Placer)  of  (rint;  r^;  tv;  tv f;  r^)  r 

Typerec[«]  (p  r')  of  (n„t;  rv;  tv f ;  tm) 

t„t 

(Aa :  k.  Typerec[rc]  (r'  (Place  a))  of  (Tint;  r^;  rv;  Tyr;  rM)) 

The  constructor  Place  can  now  be  applied  to  a  type  of  arbitrary 
kind,  but  its  return  result  must  be  fl.  This  implies  that  Place  has 
the  kind  Vx-  X  fi.  But  this  is  unsound  since  we  can  not  constrain 
the  kind  of  r  above  (the  argument  of  Place)  to  match  the  result  kind 
k  of  the  Typerec. 

Adopting  the  solution  given  by  Fegaras  and  Sheard,  we  modify 
the  domain  of  intensional  analysis:  in  place  of  fl  we  introduce  a 
parameterized  kind  t|,  and  require  that  the  type  r  being  analyzed 
in  Typerec[ry]  r  of  (Tint;  r-^;  tv;  tv+;  tm)  is  of  kind  \\k.  The  con¬ 
structor  Place  must  then  have  the  polymorphic  kind  Vx-  X  ~ ^  t|X> 
and  the  fix-point  constructor  p  the  kind  Vx-  (t|X  t]x)  ~ ^  t|X- 

We  define  the  A^  calculus  in  Figures  8  and  9.  Figures  10,  11, 
and  12  show  the  static  semantics.  Figure  13  shows  the  dynamic 
semantics. 

Types  which  had  kind  fl  in  Af  could  be  analyzed  by  a  Typerec 
with  an  arbitrary  result  kind  k'.  In  our  new  language  A^,  a  type 
that  can  be  analyzed  by  an  arbitrary  Typerec  construct  must  have 
the  kind  \\k  for  all  possible  k.  Thus  the  kind  fl  of  Xf  is  represented 
by  the  kind  Vx-  t|X  >n  A®. 

To  be  able  to  analyze  function  and  polymorphic  types,  we  now 
have  to  modify  their  kinds  as  well;  to  avoid  confusion  with  the 
constructors  based  on  fl.  we  denote  the  new  constructors  by  — V, 
and  V  (Figure  8).  The  kind  rules  for  these  constructors  are  shown 
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Kind  formation  £  b  k\ 

Xb£  £  b  K  £  b  Ki  £  \-  K2  t'-’X'P  K 
£  b  x  £  b  t]tc  £  I-  ki  — ►  /«2  £  I-  Vx-  tt 


Type  environment  formation  £  b  A 

£  b  A  £  h  c 
£  b  e  £  b  A,  a :  tc 


Term  environment  formation  £;  A  h  F 

£  b  A  £;  A  h  T  £;  A  h  t  :  ft 
£;  A  b  e  £;  A  b  F,a;:r 


Term  formation  £;  A;  T  b  e  :  r 

£;  A  h  T  at :  r  in  F 
£;A;Thi  :  r 


Type  formation  £ ;  A  b  r  :  k 

"  £  b  A 


£;  A  h  int  :Vx- t]X 
£;Ah(-A)  :  Vx-  tix  *■  tlx  ^  tix 
£;AI-V  :  Vx-Vx'.  (x' tlx) tlX 
£;  A  b  V  :  Vx- (Vx'.  tlx) tlX 
£;  A  b  p  :  Vx-  (tlx  -*■  tix)  -*■  Sx 
£;  A  b  Place  :  Vx-  X  — *■  t|X 

£;A,tt:cbr  :  b  £;  A  b  r  :  £;Ab  t'  :  k! 

£;  A  b  Aa:(c.r  :  k—>k!  £;Abrr  :  n 


£,X;Abr  :  k  £;Abr:  Vx-  n  £  b  k' 
£;  A  b  Ax-  T  :  Vx-  K  £;  A  b  r  [«']  :  k{k'/x} 


£;  A 

b 

T 

\\K 

£;  A 

b 

Tint 

K 

£;  A 

b 

T_ > 

\\K  — >  i]K  —*  K  — > 

tv  — > 

K, 

£;  A 

b 

TV 

Vx-  (x  ii«)  -♦ 

(x  ^ 

k)  —>  K 

£;  A 

b 

V 

(Vx-  \\k)  -v  (Vx- 

«) 

K, 

£;  A 

b 

(t)K  — ♦  \\k)  — >  (« 

-*■ K) 

— >  AC 

£;  A  b  Typerec[/v]  r  of  (rint;  r^;  tv;  t^;  tm)  :  k 


£  b  A  a :  k  in  A 
£;  A  b  a  :  tv 


Figure  10:  Af  type  formation  rules 


in  Figure  10.  We  can  define  equivalents  of  the  A f  types  (— »),  V, 
and  V  starting  from  -A,  V.  and  V+  respectively.  The  key  intuition 
in  the  definition  (Figure  9)  is  that  we  thread  the  same  kind  through 
all  components  of  kind  $7.  For  example,  expanding  the  definition 
of  r  — ♦  t'  we  obtain  its  equivalent,  Ax-  -A  [x]  (r  [x] )  ('7_/  [x])-  Ex¬ 
pressed  in  terms  of  these  derived  types,  the  typing  rules  for  most 
A  f  terms  (Figure  11)  are  identical  to  those  of  Af .  Compared  with 
A f ,  the  term  language  of  A 9  has  two  new  constructs  -  fold  e  as  r 
and  unfold  e  as  r  -  to  implement  the  isomorphism  between  a  re¬ 
cursive  type  and  its  unfolding. 

Each  of  these  constructors  must  first  be  applied  to  kind  k  before 
being  analyzed,  where  k  is  the  kind  of  the  result  of  the  analysis.  In 
all  other  aspects  the  type-level  analysis  proceeds  as  in  Af  by  iter¬ 
ating  over  the  components  of  the  type  and  then  passing  the  results 
of  the  iteration  and  the  original  components  to  the  corresponding 
branch  of  the  iterator.  For  example,  consider  the  analysis  of  the  int 
and  V  constructors  (Figure  12): 

Typerec[tt]  (int  [«])  of  (rint;  r_>;  7v;  rv f ;  rM)  Tint 
Typerec[tt]  (V  [k]  [k']  t)  of  (Tint;  r^;  tv;  tm)  -w 
Tv  [«/]  T  (Xa-.K1.  Typerec[ft]  (rot)  of  (rint;  r_;  rv;  tv v;  tm)) 

The  reduction  rules  for  typecase  are  similar  to  those  in  A f ,  with 
the  recursive  type  handled  in  an  obvious  way  (Figure  13).  How¬ 
ever,  there  is  one  subtlety  in  the  typecase  reduction  rules.  Since 


£;A  b  T  £;A;Tbe  :  r  £;Abr~>r/  :  17 
£;A;Tbi  :  int  £;A;Tbe  :  t' 


£;  A  b  r  :  Vx-  t)X  — >  t|X  £;A;rbe:pr 
£;  A;  r  b  unfold  e  as  r  :  r$(pr) 


£;  A  b  T  :  Vx-  tlx  tlx  £;  A;r  b  e  :  T$(pr) 
£;  A;  r  b  fold  e  as  r  :  ur 


£,x;  A;F  b  n  :  t 
£;  A;  T  b  A+X-  v  :  V+X-  r 

£;  A,  a :  k;  T  b  e  :  r 
£;  A;  r  b  Act :  k.  e  :  \/a:K.r 


£;  A;  T  b  e  :  VV  £bs 
£;  A;  F  b  e  [k]+  :  r  [k] 

£;  A;  r,  x :  r  b  e  :  t' 

£;  A;  r  b  \x:t.  e  :  r  — ►  t' 


£;  A;  F  b  e  :  V  [k]  r  £;  A  b  r'  :  k 
£;  A;  r  b  e  [V]  :  r  r' 

£;  A;  T  b  ei  :  T2  — >  n  £;  A;  F  b  e2  :  T2 
£;  A;  F  b  ei  e2  :  n 


£;  A-,F,x:t  \~  v  :  r 

t  =  V  Xi  ■  ■  ■  Xn- Van  :Ki  . . .  am  :Sm  :n  — >  T2. 
n  >  0,  m  >  0 

£;  A;F  b  fixa;:T.  v  :  r 


£;  A  b  r  :  17 
£;  A  b  t'  :  17 
£;  A;  F  b  emt 
£;  A;  T  b 

£;  A;  T  b  ev 
£;  A;T  b  eyf 
£;  A;  F  b 


-v  n 

t  int 

Va :  $7.  Va' :  17.  r  (ai  — >  02) 
V+X-  Va :  x  n.  t  (V  [x]  a) 
Va :  (Vx- 17).  t  (V+  a) 
Va:(Vx- t)X  -►  l lx)-f  (H«) 


£;  A;  T  b  typecase[r]  r'  of  (eint;  e^;  ev;  e^f;  e^) 


/ 

r  t 


Figure  1 1 :  Af  term  formation  rules 


typecase  does  not  iterate  over  the  structure  of  a  type,  its  reductions 
do  not  introduce  the  Place  constructor;  thus  the  type  analyzed  by 
Typerec[fy]  must  be  of  kind  t|tt,  but  a  typecase  can  only  analyze 
types  of  kind  17,  i.e.,  Vx-  t|X-  It  *s  easy  to  see  that  there  are  no 
closed  types  of  this  kind  constructed  using  Place.  Thus  there  are 
no  reduction  rules  for  typecase  analyzing  the  Place  constructor. 
We  show  this  (in  Section  C.l)  when  proving  the  soundness  of  A 9. 

The  language  A  f  enjoys  the  properties  of  Af  listed  in  Section  3 
(for  detailed  proofs,  see  Appendix  C).  For  instance,  we  prove 
strong  normalization  using  Girard’s  method  of  candidates  [6]  as 
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Type  reduction  £ ;  A  b  n  T2  :  ft 


£ ;  A,  a :  ft  h  ti  T2  :  k' 

£\  A  I-  Aa :  ft .  ti  Aa :  ft.  T2  :  ft  — >  ft' 


£;Ahr  :  K  £ ;  A  h  ti  T2  :  ft 

^Ahr^T  :  K  £ ;  A  b  T2  ti  :  ft 

£ ;  A  Is  Tl  T2  :  ft  £ ;  A  h  T2  T3  :  ft 

£ ;  A  b  n  T3  :  ft 

£,  x;  A  b  r  t'  :  ft 
£;  A  b  Ax-  r  Ax-  r  :  Vx-  ft 

£;  A  h  n  T2  :  Vx-  ft  A’  !"\k' 

£;  A  I-  n  [k'J  T2  [ft']  :  ft{ft'/x} 

£;  A,  aift7  h  t  :  ft  A;  A  h  r  :  ft7 
£\  A  h  (Aq  :  k! .  r)  t'  t{t'  /a}  :  ft 

£,  x;  A  b  r  :  Vx-  ft  £  h  ft' 

£;  A  I-  (Ax-r)  [ft']  ~t-  rj/t'/x}  :  «{«7x} 

£;APt  :  ft  — »  a  ^  ftv(r) 

£;AhAa:/v.ra~>r  :  ft  — >  ft' 

£;  A  h  t  :  Vx'.ft  xifkv{r) 

£;  A  h  Ax-  r  [x]  t  :  Vx*-  ft 


£;  A  h  n  T2  :  ft'  — >  ft  £ ;  A  h  t(  t(  :  ft' 

£ ;  A  b  Tl  Ti  T2  72  :  ft 

£',  A  I-  Typerec[«]  (int  [ft])  of  (rint;  t_;  rv;  ;  rM)  :  ft 
£;  A  I-  Typerec[ft]  (int  [«])  of  (rint;  t^;  rv;  t^;  rM)  Tint  :  ft 

£;  A  I-  Typerec[ft]  n  of  (rint;  r^;  rv;  rv+;  rM)  ~t-  t{  :  ft 

£;  A  h  Typerec[ft]  t2  of  (rint;  r^;  rv;  rv+;  rM)  ~t-  T2  :  ft 

£;  A  I -  Typerec[ft]  ((-A)  [ft]  n  t2)  of  (Tint;  t— ;  Ty;  r^f;  rM)  t_  n  r2  r(  T2  :  ft 

£\  A,  a:  ft'  b  Typerec[ft]  (t  a)  of  (Tint;  t^;  rv;  ;  rM)  r'  :  ft 

£;  A  I-  Typerec[ft]  (V  [ft]  [ft']  r)  of  (-Tint;  T->;  7v;  t^)  ry  [ft']  r  (A a: ft',  r')  :  ft 

£,  Xi  A  h  Typerec[«]  (r  [x])  of  (tint!  t_>;  tv;  t^;  tm)  t'  :  k 
£;  A  I-  Typerec[ft]  (V  [ft]  r)  of  (rint;  T-,;  ry;  T^r;  tm)  r  (Ax-  r')  :  ft 

£;  A,  a:  ft  h  Typerec[ft]  (r  (Place  [ft]  a))  of  (rim;  r.^;  7v;  Tyf ;  r^)  r'  :  ft 

£;  A  h  Typerec[ft]  (fi  [ft]  t)  of  (tint;  t—;  Ty;  Tyf;  tm) tm  t  (Aa:ft.  t')  :  ft 

£;  A  h  Typerec[ft]  (Place  [ft]  t)  of  (tint;  t_^;  Ty;  t^;  t^)  :  ft 

£;  A  h  Typerec[ft]  (Place  [ft]  t)  of  (Tint;  t_;  tv;  tv+;  tm)  t  :  ft 


Figure  12:  Selected  A^  type  reduction  rules 


unfold  (fold  i)  as  t)  as  t -v  ti 

e  e'  e  e' 

fold  easT-vj  fold  e'  as  t  unfold  e  as  t  unfold  e'  as  t 

typecase[T]  int  of  (eint;  e^;  ev;  e^\  eM)  eint 

typecase[T]  (ti  — >  t2)  of  (eint;  e^;  ev;  e^;  eM)  [ti]  [t2] 

typecase[T]  (V  [ft]  t')  of  (eint;  e^;  ev;  ey+;  eM)  -vy  ev  [ft]+  [t'\ 

typecase[T]  (V+  r')  of  (eint;  e^;  ev;  e^;  eM)  eyf  [t'] 

typecase[T]  of  (eint;  e^;  ev;  ey+;  eM)  [t'] 

e;e  t'  if' :  Q  ff'  is  a  normal  form 

typecase[T]  t'  of  (eint;  e^;  ey;  e^y;  e^) 

typecase[T]  v'  of  (eint;  e^;  ey;  e^;  e^) 

Figure  13:  Selected  A f  term  reduction  rules 

for  A f ,  with  a  few  adjustments:  Since  our  “base”  kind  \\  is  para¬ 
metric,  we  define  R^CK  as  the  set  of  types  t  of  kind  t]ft  for  which 
Typerec[ft]  t  . . .  belongs  to  a  candidate  CK  of  kind  ft  whenever  the 
branches  belong  to  candidates  of  the  respective  kinds,  and  the  set 
•^Vp/x]  is  defined  as  R^(SK[C/^\). 


(value)  v  ::=  i  \  A x:r.e  \  fold  v  as  t  |  unfold  v  as  t 
Aa:K.v  |  A  x-  v  |  fixat:T.  v 

( context )  f?  ::=  []  |  Ee  \  vE  \  E[t\  E  [k]+ 

fold  E  as  t  ]  unfold  E  as  t 

(redex)  r  ::=  (\x:r.e)v  \  (Aa :  ft.  u)  [t]  |  (A+x.u)[ft]+ 

(fix  x\t.v)v'  |  (fixa;:T.  v)  [t] 

(fix x'.t.v)  [ft] 
unfold  (fold  v  as  t)  as  t 
|  typecase[T]  t'  of  (eint;  e^;  ev;  ev+;  eM) 
typecase[T]  int  of  (eint;  e^;  ey;  eM) 

|  typecase[T]  (t  — >  t")  of  (eint;  e^;  ev;  e^;  eM) 
typecase[T]  (V  [ft]  t')  of  (eint;  e^;  ey;  e^t-;  eM) 

|  typecase[T]  (V  t')  of  (eint;  e^;  ey;  e^;  eM) 
typecase[T]  (jjt')  of  (eint;  e^;  ey;  e^;  eM) 

Figure  14:  Term  contexts 


4.3  Limitations 

The  approach  outlined  in  this  section  allows  the  analysis  of  recur¬ 
sive  types  within  the  term  language  and  the  type  language,  but  im¬ 
poses  severe  limitations  on  combining  these  analyses.  While  one 
can  write  a  polymorphic  equality  function  of  type  Va  :  £l.  a  — > 
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(kinds)  k  ::  =  fi  |  T  |  k  — >  k'  \  \  I  Vx-  /t 

(types)  t  ::=  int  j  — »  |  V  j  V  |  R 

|  Tint  |  T_  |  Tv  |  Tv+  I  Th 

|  a  |  A x- t  |  r  [/t]  |  \a:n.T  |  tt 

I  TagrecjA]  r  of  (rint;  r_;  rv;  tr) 
(fixtype)  a  ::=  —»tt  j  V  [k]  (Aq  :  k.  a)  |  V+(Ax-  c) 
(values)  v  ::=  i  |  A+x.t>  |  A a:n.v  \  Xx-.r.e  \  fi xx:a.v 

I 

Rint  I  (r,  t',v,v')  I  Rv(K,r,r',v') 

I  V  (T>  v)  I  Rr  (T  v) 

(terms)  e  ::=  v  \  x  \  e  [k]+  |  e  [r]  |  ee' 

repcase[r]  e  of  (eint;  e^;  ev;  e^;  ejj) 

|  Rint  |  R—  (r,  r',e,  e')  |  Rv  (k,  r,  r',  e') 

V  (T> e)  !  R«  (t>  e) 

Figure  15:  Syntax  of  the  Af  language 


a  — >  Bool,  and  one  can  write  a  type  operator  Eq  as  in  Sec¬ 
tion  3,  it  is  not  possible  to  write  polymorphic  equality  of  type 
Va:fi. Eq  a— >  Eq  a  — >  Bool.  The  reason  is  that  although  Eq  (p  r) 
reduces  to  a  recursive  type,  its  unfolding  is  not  Eq  (r$(p  r)),  the 
type  needed  for  the  recursive  invocation  of  the  equality  function. 
Indeed  the  types  t'  (p  r)  and  t'  (r$(p  r))  are  not  bisimilar  in  gen¬ 
eral,  since  t'  may  analyze  its  argument  and  produce  different  re¬ 
sults  depending  on  whether  it  is  a  recursive  type  or  not.  Thus  the 
problem  can  be  traced  back  to  our  decision  to  define  p  as  a  “con¬ 
structor”  for  kind  t],  which  makes  recursive  types  observably  dis¬ 
tinct  from  their  unfoldings.  Alternatives  are  to  limit  the  result  kind 
of  Typerec  to  fi,  or  to  regain  transparency  of  p  by  eliminating  the 
branch  of  Typerec  and  providing  a  reduction  rule  which  always 
maps  recursive  types  to  recursive  types;  since  the  analogous  trans¬ 
formation  at  the  term  level  in  the  latter  case  will  require  combining 
typecase  with  recursion,  the  resulting  language  exceeds  the  scope 
of  the  current  paper. 

5  Type-erasure  semantics 

We  give  a  type  erasure  semantics  for  our  calculi  following  Crary 
et  al.  [2].  This  embedding  simplifies  certain  stages  of  the  com¬ 
piler,  most  notably  typed  closure  conversion.  The  basic  idea  is  to 
construct  term-level  representations  of  types  and  pass  these  rep¬ 
resentations  at  runtime.  The  term-level  type  analysis  operator  is 
modified  to  analyse  these  representations. 


£  f  -  A  f;Ahax  :  y-*!! 

£\  Ah  Rn  =  R  :  T  —>  Q,  f;Ah  Rx  =  ax  :  x  — >■  fi 
£■  A  h  Rk  =  t  :  |/t|  — >  fi  £;  A  h  RK,  =  r'  :  |/t'|  -*•  fi 

f;Ah  Rk^k’  =  Aa:|/t  — ►  «'|.  V/3:  |/c|.  r/3  — ►  t  (a  fi) 

:  |/t  — >  k'\  — >  O 

£,X;\o‘x:X  — >  El  I-  Rk  =  T  :  |/t|  — ►  fi 

£\  A  I-  Rvx-k.  =  Aa:|Vx-  K|.V+x.Vax:x  fi-r  (a  [x]  Rx ) 
:  |Vx-  k\  ->  fi 

Figure  16:  Types  of  representations  at  higher  kinds 


the  kind  x-  Therefore,  we  use  a  dictionary  passing  style  at  the  type 
level.  For  every  kind  argument  n  at  a  kind  application,  we  supply 
the  type  function  RK  (bound  by  the  variable  ax)  mapping  types 
of  kind  k  to  the  types  of  their  representation  terms.  We  show  the 
mapping  in  Figure  16. 

In  A  f,  the  V  and  the  V+  constructor  bind  a  kind.  But  the  lan¬ 
guage  A^  requires  that  every  construct  binding  a  kind  should  also 
bind  the  corresponding  type  dictionary.  We  therefore  introduce  tags 
at  the  type  level  corresponding  to  every  type  constructor  in  A  f  and 
a  corresponding  kind  T.  The  type-level  analysis  operator  (Tagrec) 
now  operates  on  tags.  Therefore,  we  get  the  following  translation 
of  A  f  kinds  to  A^  kinds. 

|fi|  =  T  | k  — >  k' |  —  |k|  — >  |k,| 

1x1=  X  |Vx-k|  =  Vx-  (x  -*■  fi)  l«l 

The  formation  rule  for  the  tags  (Figure  17)  follows  directly 
from  the  kind  translation  and  the  A f  kind  of  the  corresponding 
type  constructor.  The  mapping  of  A f  types  to  A^  tags  (Figure  20) 
is  also  straightforward.  The  only  interesting  case  is  that  of  a  kind 
function  Ax-  r;  the  A^  translation  also  binds  a  type  dictionary  ax. 
Since  we  do  not  have  the  R  constructor  in  A  f,  we  only  need  to  fill 
in  a  type  of  the  appropriate  kind  for  the  TR  branch  of  the  Tagrec. 

The  Tagrec  construct  provides  primitive  recursion  at  the  type 
level.  Its  reduction  rule  (Figure  18)  is  similar  to  that  of  the  Typerec 
in  A f .  Consider  the  reduction  for  the  (Tv  [«/]  n  T2)  constructor. 
Here  n  is  the  type  dictionary  for  the  kind  k!  and  T2  corresponds 
to  the  body  of  the  V  constructor  of  A  f .  The  Tagrec  applies  the  7V 
branch  to  the  kind  «/,  the  dictionary  ti,  the  body  T2,  and  the  result 
of  the  iteration  over  the  body. 

£ ;  A,  a-.K1  F  Tagrec[«]  (r2  a)  of  (rint;  t^;  rv;  rv+;  rR) 

1 — *  t'  :  K 

£ ;  A  F  Tagrec[rr]  (Tv  [k']  n  r2)  of  (rin t;  7v;  ;  tr) 

1 — r  rv  [V]  ri  T2  (Aa  :k' .t')  :  k 


5.1  Type-erasure  for  Af 

Since  only  types  of  kind  fi  are  analysed,  we  provide  representation 
constants  for  types  of  kind  fi;  the  representations  for  other  kinds 
will  be  constructed  inductively.  Thus  the  A^  language  (Figure  15) 
has  the  constant  R:nt  corresponding  to  the  type  int,  and  representa¬ 
tion  constants  like  R^  corresponding  to  each  A f  type  constructor. 

Consider  the  problem  of  typing  these  representations.  We  intro¬ 
duce  the  type  constructor  R  to  type  the  representation  for  types  of 
kind  fi.  Types  of  higher  kind  are  translated  as  functions  from  rep¬ 
resentations  to  representations.  However,  the  kind  polymorphism 
in  Af  complicates  this.  For  example,  consider  the  type  Aa  :  X-  a. 
To  get  the  type  of  the  runtime  representation  of  a,  we  must  know 


The  term  level  in  Af  contains  term-level  tags  corresponding 
to  the  type  constructors  of  Af .  We  introduce  the  constructor  R 
at  the  type  level  to  type  the  term-level  tags.  Figure  17  shows  the 
formation  rules  for  the  term-level  tags.  Given  a  A f  type  r  of  kind 
fi,  its  term  tag  has  the  type  R  (|r|)  where  |r|  is  the  type  tag  of  r. 
Intuitively,  it  makes  sense  since  the  repcase  analyzes  the  term  tag 
and  the  Tagrec  analyzes  |r| .  The  repcase  has  the  obvious  reduction 
rule  (Figure  19);  every  branch  is  applied  to  the  components  of  the 
corresponding  term  tag. 

In  Figure  21.  we  show  the  representation  of  A f  types  as  Af 
terms.  The  key  point  is  to  maintain  the  invariant  that  every  kind 
abstraction  introduces  the  corresponding  type  tag  and  every  type 
abstraction  introduces  the  corresponding  term  tag.  Therefore,  the 
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kind  and  type  abstractions  are  translated  as: 

5R(Ax-t)  =  A+x- Kax'-X  - >  D.5R(t) 

5R(Aa:ft.  t)  =  Aa:  |/t|.  \xa  :RK  a.  5R(r) 

The  kind  application  and  the  type  application  must  supply  the  cor¬ 
responding  tags.  The  type  tag  is  RK  (Figure  16)  and  the  term  tag  is 
the  translation  itself.  Therefore,  the  kind  and  type  applications  are 
translated  as: 

SR(rM)  =  5R(r)[|K|]+[7?.] 

SR(rr/)  =  Sft(r)  [|r,|]  (5R(r/)) 

The  translation  of  type  constructors  follows  from  their  kind.  Con¬ 
sider  the  translation  of  the  V  constructor.  This  constructor  binds  a 
kind  k.  and  a  type  r.  Therefore,  the  translation  introduces  a  kind 
and  the  corresponding  type  tag  (\  and  ax )  and  a  type  and  the  cor¬ 
responding  term  tag  (a  and  xa).  The  Rv  denotes  that  this  is  the 
term  tag  for  the  V  constructor. 

3?(V)  =  A+x-  Aax  :  x  — >  Ft.  Aa:%  — *■  T.  Xxa  :  Rx-,n  (a). 

Rv  (X,-Rx.«.*a) 

The  Typerec  translation  uses  a  repcase,  and  a  fixpoint  to  simulate 
the  recursion. 

We  show  the  translation  of  A  f  terms  to  A|j  terms  in  Figure  22. 
The  interesting  part  of  the  translation  is  the  use  of  the  Tagrec  con¬ 
struct  to  define  the  type  of  the  translated  term.  This  is  possible 
only  because  our  system  is  fully  reflexive,  but  this  is  crucial  for 
the  term  translation.  In  particular,  to  prove  that  the  translation  of  a 
type  application  and  a  kind  application  are  of  the  correct  type,  the 
type  reduction  relation  must  commute  with  respect  to  type  and  kind 
substitution  which  is  enforced  by  the  definition  of  our  type  analysis 
operators. 

In  Appendix  B,  we  give  the  detailed  semantics  of  AfJ  and  the 
translation  from  A  f  to  Af^. 

We  can  prove  the  following  propositions  about  the  translation 
of  A f  to  A£.  The  propositions  always  extend  the  original  A f  type 
environment  A  with  a  type  environment  A(£)  which  binds  a  type 
variable  ax  of  kind  x  ^  f°r  each  X  F  £•  Similarly  the  term- 
level  translations  extend  the  term  environment  T  with  T(A),  bind¬ 
ing  a  variable  xa  of  type  RKa  for  each  type  variable  a  bound  in  A 
with  kind  k. 

Proposition  5.1  If  £;  A  h  r  :  k  holds  in  A  f,  then 
\£ |;  |A|,  A{£)  h  |t|  :  |/t|  holds  in  A^. 

The  runtime  representation  Sft(r)  of  a  A f  type  r  in  A^  is  computed 
as  shown  in  Figure  2 1 . 

Proposition  5.2  If  £ ;  A  h  r  :  k  and  £ ;  A  b  V  hold  in  A  f,  then 
\£\\  |A|,  A(£);  |rj,  F(A)  h  Sft(r)  :  RK  |r|  holds  in  A£. 

Figure  22  gives  the  translation  |e|  of  A f  terms  to  AfJ  terms.  The 
operational  semantics  of  A ^  is  summarized  in  Figure  19. 

Proposition  5.3  If  £;  A;  F  h  e  :  r  holds  in  A f,  then 
|f|;|A|,  A(f);|r|,  r(A)h|e|  :  Type  |r|  holds  in  Ag. 

5.2  Type  erasure  for  A 9 

We  saw  in  Section  4.1  that  by  restricting  the  result  of  the  Typerec 
to  kind  FI,  we  can  handle  the  analysis  of  recursive  types  with  a  A f 


like  calculus  (with  the  addition  of  a  p  constructor  of  kind  FI  — > 
FI  — >  FI).  In  practice,  this  is  sufficient.  A  Typerec  is  used  only  for 
typing  a  term-level  typecase.  Since  the  type  of  every  branch  of  the 
ty pecase  must  be  of  kind  FI,  the  result  of  the  Typerec  must  also  be 
of  kind  FI.  The  method  in  Section  5.1  can  then  be  used  to  define  a 
type  erasure  calculus  for  . 

6  Related  work 

The  work  of  Harper  and  Morrisett  [8]  introduced  intensional  type 
analysis  and  pointed  out  the  necessity  for  type-level  type  analysis 
operators  which  inductively  traverse  the  structure  of  types.  The  do¬ 
main  of  their  analysis  is  restricted  to  a  predicative  subset  of  the  type 
language,  which  prevents  its  use  in  programs  which  must  support 
all  types  of  values,  including  polymorphic  functions,  closures,  and 
objects.  This  paper  builds  on  their  work  by  extending  type  analysis 
to  include  the  full  type  language.  Crary  et  al.  [1]  propose  a  very 
powerful  type  analysis  framework.  They  define  a  rich  kind  calcu¬ 
lus  that  includes  sum  kinds  and  inductive  kinds.  They  also  provide 
primitive  recursion  at  the  type  level.  Therefore,  they  can  define  new 
kinds  within  their  calculus  and  directly  encode  type  analysis  oper¬ 
ators  within  their  language.  They  also  include  a  novel  refinement 
operation  at  the  term  level.  However,  their  type  analysis  is  “limited 
to  parametrically  polymorphic  functions,  and  cannot  account  for 
functions  that  perform  intensional  type  analysis”  [1,  Section  4.1], 
Our  type  analysis  can  also  handle  polymorphic  functions  that  an¬ 
alyze  the  quantified  type  variable.  Moreover,  their  type  analysis 
is  not  fully  reflexive  since  they  can  not  handle  arbitrary  quantified 
types;  quantification  must  be  restricted  to  type  variables  of  kind  FI. 
Duggan  [3]  proposes  another  framework  for  intensional  type  anal¬ 
ysis:  however,  he  allows  the  analysis  of  types  only  at  the  term  level 
and  not  at  the  type  level.  Yang  [28]  presents  some  approaches  to 
enable  type-safe  programming  of  type-indexed  values  in  ML  which 
is  similar  to  term-level  analysis  of  types.  Our  solution  for  recursive 
types  is  based  on  the  idea  proposed  by  Fegaras  and  Sheard  [4]  for 
extending  the  fold  operation  to  non-inductive  datatypes.  Meijer  and 
Hutton  [11]  also  propose  a  method  for  extending  catamorphisms 
to  datatypes  with  embedded  functions;  however,  their  method  re¬ 
quires  the  definition  of  an  anamorphism  for  every  such  catamor- 
phism.  The  type  erasure  semantics  follows  the  idea  proposed  in  [2] 
of  constructing  term-level  representation  of  types  and  passing  them 
at  runtime.  This  idea  is  similar  to  dictionary  passing  used  in  the 
implementation  of  type  classes  [16,  9]. 

Necula  [14]  proposed  the  ideas  of  a  certifying  compiler  and  im¬ 
plemented  a  certifying  compiler  for  a  type-safe  subset  of  C.  Mor¬ 
risett  et  al.  [13]  showed  that  a  fully  type-preserving  compiler  gen¬ 
erating  type-safe  assembly  code  is  a  practical  basis  for  a  certifying 
compiler. 

The  idea  of  programming  with  iterators  is  explained  in  Pierce’s 
notes  [18],  Pfenning  and  Mohring  [17]  show  how  inductively  de¬ 
fined  types  can  be  represented  by  closed  types.  They  also  construct 
representations  of  all  primitive  recursive  functions  over  inductively 
defined  types. 

7  Conclusions 

We  presented  a  type-theoretic  framework  for  fully  reflexive  inten¬ 
sional  analysis  of  types  which  includes  analysis  of  polymorphic, 
existential,  and  recursive  types.  We  can  analyze  arbitrary  types 
both  at  the  type  level  and  at  the  term  level.  Moreover,  we  are  not 
restricted  to  analyzing  only  parametrically  polymorphic  functions; 
we  can  also  handle  polymorphic  functions  that  analyze  the  quan¬ 
tified  type  variable.  We  proved  the  calculus  sound  and  showed 
that  type  checking  still  remains  decidable.  We  gave  an  encoding 
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of  our  calculus  into  a  type  erasure  semantics.  Since  we  can  ana¬ 
lyze  arbitrary  types,  we  can  now  use  these  constructs  to  write  type- 
dependent  runtime  services  that  can  operate  on  values  of  any  type; 
as  an  example  we  showed  how  to  use  reflexive  type  analysis  to  sup¬ 
port  type-safe  marshalling. 
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A  Semantics  of  A^  and  Translation  from  A f 


Kind  formation  £  F  k 


£  F  T 


Type  formation  f;Ah  r  :  k 


£ F  A 


:  T  -*•  n 
£;  A  F  Tint  :  T 
f ;  A  h  T_  :  T  — >  T  — >  T 
£;  A  F  Tv  :  VX.  (x  -  «)  ->  (x  -  T)  ->  T 
£;  A  F  V  :  (Vx-  (x  -  n)  -  T)  -  T 
f :  A  h  Ts  :  T  ->  T 


£;  A  Ft 

t 

£;  A  F  T^t 

K 

£ ;  A  F  T_t 

T— >T  — >  k  — >  k  — >  k 

£;  A  F  tv 

Vx-  (x  ->•  fi)  -*■  (x  -*■  T)  -*■  (x  *0  -> « 

£;  A  F  Tyf 

(Vx-  (X  T)  (Vx-  (X  ->•  fi)  «)  « 

£;AFtb 

T  — >  K  — >  K 

£;  A  I-  Tagrec[«]  r  of  (rint;  t— ;  7v;  r^;  rH)  :  k 


Term  formation  f;  A;T  h  e  :  r 

£\  a  hr 

£ ;  A;  T  I-  Rint  :  RTint 

£;  A;  F  F  e  :  Rt  £;  A;T  F  e'  :  Tt' 

£;  A;T  F  (r,r',e,e')  :R(T^tt') 

f;Ahr  :  |k|  -tfi  f;A;rhe':^n(r') 
£;  A;  T  h  Rv  (|/t|,  t,  t' ,  e')  :  R  (Ty  [|/c|]  t  r') 

£;  A;  T  F  e  :  Tyx.n  (t) 

£;A;FF  R^  (r,  e)  :  f?  (V+  r) 

£;  A;  T  F  e  :  Tt 
£;  A;  T  F  Rfl  (r,  e)  :  T(Tt) 


£;  A  Ft 

:  T  0 

£;  A;  r  f 

e 

Rt' 

£;  A;  r  f 

6jnt 

T  Tnt 

£;  A;  r  F 

Vcri :  T.  T  cti  — *  Vq2 

:  T.  T  a2 

— >  T 

(T_ 

Oil  OL 2) 

£;  A;  r  f 

ev 

V+X-Vax:x  -*•  H- 

Va :  x  — »•  T.  Rx^n  (a)  — >  t 

(TV 

[x] a 

x«) 

£;  A;  r  f 

e^f 

Vq:Vx-  (x  -*• 

T.  i?yx.  n 

(a) 

— *  T 

(T^a) 

£;  A;  r  f 

Va :  T.  f?  a  — >  t  (TH 

a) 

£;A;TF  repcase[r]  e  of  (eint;  e^;  ey;  ev+;  eR)  :  tt' 


Figure  17:  Formation  rules  for  the  new  constructs  in  A^ 


Type  reduction  f;AhTHr  :  k 

£:  A  F  Tagrec[«]  Tnt  of  (Tint;  t->;  tv;  ;  th)  :  n 
£\  A  F  Tagrec[rc]  Tnt  of  (rint;  t-*;  tv;  tv+;  rR)  h->  Tint  :  n 

£\  A  h  Tagrec[K]  n  of  (rint;  r^;  tv;  tv+;  th)  h->  t(  :  k 
£;  A  I-  Tagrec[K]  t2  of  (Tint;  t^;  tv;  tv+;  th)  :  k 

£;  A  F  Tagrec[ht]  (T_^  n  r2)  of  (rint;  t^;  ry;  r^;  tk) 

I — t  T— ,  Ti  T2  t[t2  :  K 

£■,  A,  a:  k'  h  Tagrec[ft]  (t2  a)  of  (rint;  t-*;  tv;  r^;  th) 
h- ►  r;  :  k; 

£;  A  F  Tagrec[«]  (Ty  [«/]  n  r2)  of  (nnt;  T-*;  Ty;  t^;  th) 
h- >  7V  [«/]  Ti  r2  (Aa :  k'.  t')  :  k 

£,X5  A,ax:x  ->  I- 

Tagrec[K]  (r  [x]  ax)  of  (Tint;  r^;  tv;  r^;  tr)  t'  :  k 
£;  A  F  Tagrec[ft]  (T^t)  of  (Tint;  T-.;  tv;  t^-;  tr) 

^  V-t  (Ax-  Aax:x  ^-t')  :  « 

£;  A  F  Tagrec[T]  r  of  (Tint;  T-F  tv;  t^;  tr)  t'  :  k 
£\  A  F  Tagrec[/-c]  (Trt)  of  (rint;  r^;  rv;  r^;  tr)  h-»  th  tt'  :  k 

Figure  18:  Non-standard  reduction  rules  for  AR  types 


repcase[T]  Rint  of  (eint;  e^;  ev;  e^;  eR)  eint 

repcase[T]  R_  (t,  t',  e,  e')  of  (eint;  e^;  ev;  e +;  eR) 

[t]  [t']  e  e! 

repcase[T]  Ry  («,  t,  t',  e')  of  (eint;  e^;  ev;  e^;  ejj) 
evM+[T][T']e' 

repcase[T]  R^  (t,  e)  of  (eint;  e^;  ey;  e^;  e«)  e^v  [t]  e 
repcase[T]  Rr  (t,  e)  of  (eint;  e^;  ey;  e^r;  e«)  eH  [r]  e 
e  e' 

repcase[T]  e  of  (eint;  e^;  ev;  ev+;  ejj) 

repcase[T]  e  of  (eint;  e^;  ev;  e^;  eR) 

Figure  19:  New  term  reduction  rules  of  AfJ 


|a|  =  a 

jintj  =  Tm  |Ax-t|=Ax-  Aax:x  -*■  \r\ 

HI  =T^  |t[k]|  =  |t|  [|k|]  Rk 

j Vj  =  Ty  |Aa:/t.  t|  =  Aa:  |k|.  |t| 

|V1=TV+  |tt'|  =  |t|  |t'| 

|Typerec[«]  t  of  (Tint;  t_;  tv;  t^)! 

=  Tagrec[|tc|]  |t|  of 

(h„tl;  k-»l;  HI;  |tv+|;  a_:T.  a_: |«|.  |Tint|) 
Figure  20:  Mapping  of  A f  types  to  tags 
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Sft(int)  =  Rint 

Sft(— »)  =  Aa :  T.  Xxa  ■  R  a.  A/3 :  T.  \xp  :  R  /3. 

(a,(3,xa,x0) 

5R(¥)  =  A+x-  Aax  :  x  — >  12.  Aa :  x  — ►  T.  \xa  :  Rx^n  (a). 

Rv  (x,Rx,a,xa) 

»(V+)  =  A  a :  (VX.  (x  ->  12)  ->  T).  Azc  :  RVx.  n  a. 

Ry+  (<^j  ^a) 

^R(a)  =  Xa 

SR(Ax-  t)  =  A+x-  Aax  :  x  — >  12.  Sft(r) 

/R(t[K])  =  /R(t)[M+{Rk] 

K(Aa  :k.t)  —  Aa :  |k|  .  \xa  :  RK  a.  Sft(r) 

S(rr')  =  SR(r)  [|r'|]  (5R(t')) 

SR(Typerec[«]  r  of  (Tint;  r_;  rv;  r^)) 

=  (fixf : Va :  T.  R a  — >  (t*  a). 

Aa:T.  A Xa'-Ra. 

repcase[Aa :  T.  RK  (r*  a)]  xa  of 

Rint  ^7*  ^R(Tint) 

R^  =>  Aa:T.  \xa  :Ra.  A/3 :  T.  Xx0  :R/3. 

5ft  (r_)  [a]  [/?]  xp 

[t*  a]  (f  [a]  ®a)  [t*  /3]  (f[/3]x^) 

Rv  =>  A  x-  Aax  :x  — >  12-  Aa:x  —>  T.  A*a  :Rx^ci  (a). 

SR(tv)  [x]+  [Rx]  H  Xcc  [X/3 :  x-  r*  (a  /3)] 

(A/3 :  X-  Ax0 :  T?x  /3.  f  [a  /3]  (*a  [/?]  x0)) 

Ryf  =►  Aa:  (Vx-  (x  — >  12)  — *■  T).  A*a  :Rvx.  n  a. 

5ft  (Tyt-)  [a]  *a 

[Ax-  Aax  :  x  -►  t*  (a  [x]  Rx)] 

(A+x.  Aax  :x  ->  n.f  [a  [x]  Rx]  (*«  [xf  [Rx])) 
Rh  =>  Aa:T.  Xxa  :Ra.  5ft(rint)) 


where 


r*  =  |Aa:12.Typerec[K,]  a  of  (rint;  r_>;  7v;  \v)| 
Figure  21:  Representation  of  Xf  types  as  A ^  terms 


B  Properties  of  A f 
B.1  Soundness  of  A f 

The  operational  semantics  for  A f  are  in  Figure  6.  The  reduction 
rules  are  standard  except  for  the  typecase  construct.  The  typecase 
chooses  a  branch  depending  on  the  head  constructor  of  the  type 
being  analyzed  and  passes  the  corresponding  subtypes  as  argu¬ 
ments.  For  example,  while  analyzing  the  polymorphic  type  V  [k]  t, 
it  chooses  the  ev  branch  and  applies  it  to  the  kind  k  and  the  type 
function  t.  If  the  type  being  analyzed  is  not  in  normal  form,  the 
typecase  reduces  the  type  to  its  unique  normal  form. 

We  prove  soundness  of  the  system  by  using  contextual  seman¬ 
tics  in  Wright/Felleisen  style  [27],  The  evaluation  contexts  E  are 
shown  in  Figure  23.  The  reduction  rules  for  the  redexes  r  are  shown 
in  Figure  6.  We  assume  unique  variable  names  and  our  environ¬ 
ments  are  sets  of  variables.  The  notation  b  e :  r  is  used  a  shorthand 
for b  e:r. 

Lemma  B.l  If  e\e  b  v  :  12,  then  v  is  one  of  int,  v\  — >  iz2, 
V  [k]  v\,  or  V+  v i. 

Proof  Since  v  is  well-formed  in  an  empty  environment,  it  does 
not  contain  any  free  type  or  kind  variables.  Therefore  v  can  not 
be  a  v°  since  the  head  of  a  i/°  is  a  type  variable.  The  lemma  now 
follows  by  inspecting  the  remaining  possibilities  for  v.  □ 


1*1  =  i 

|x|  =  x 

|A+x.v|  =  A+x.  Aqx:x  -*  12.  |w| 

|eM+|  =  |e|  [M+[Rk] 

|Aa:«.  «|  =  Aa:  |/t|.  Xxa  \RK  a.  |v| 

|e[r]|  =  |e|  [|r|]  Sft(r) 

|Aa;:r.  e|  =  A* :  Type  |r|.  |e| 

|ee'|  =  |e||e'| 

jtypecase[r]  r'  of  (eint;  e^;  ev;  e^f) 

=  repcase[Aa :  T.  Type  (|r|  a)]  5R(r/)  of 
Rint  —1*  |  Cjnt  | 

R^  =>■  je^ 

Rv  =>|ev| 

Rh  =>  Aa:T.  Xx-.Ra.  |ernt| 

where 

Type  =  Aa :  T.  Tagrec[12]  a  of 

Tint  =>  int 

T_ ,  =b  A_ :  T.  A_ :  T.  Aai :  12.  Aa2  : 12. 

Oil  — »  OL2 

Tv  =>Ax-  Xax:\^>  12.  A_:x^  T. 

Xa' :  x  — >  12.  Va :  X-  R\  a  —>  a1  a 
T>=f  A_:(Vx.(x^fi)^T). 

Aa:(Vx-  (X  — »■  12)  — »•  12). 
V+X-Vax:x  -►  12.a[x]Rx 

Tr  =>  int 

Figure  22:  Translation  of  A f  terms  to  Xr 


(value)  v  ::= 

=  i  |  Xx-.T.e 

|  fi xx:t.v  A a\K.v  \  A+x.u 

(context)  E  ::= 

=  []  1  Ee 

vE  |  E[t\  |  E 

[«f 

(redex)  r  ::= 

-  (Xx:r.e)v 

(Aa :  k.  v)  [t] 

(A+X-e)[K]+ 

(fixa::r.  v) 

v'  |  (fi  XX'.T.v) 

tr'] 

(fi xx :t.  v ) 

M+ 

typecasefr 

t  of  (eint ,  e — , , 

1  ) 

typecase[r 

int  of  (eint;  e_; 

ev;  ev+) 

typecase[r 

r  t  t'  of  (eint; 

e^;  ev;  ev+) 

typecase[r 

V  [«]  r  of  (eint; 

e^i  ?  ^v^- ) 

typecase[r 

V  t  of  (eint; 

,  ev  ?  e v+- ) 

Figure  23: 

Term  contexts 

Lemma  B.2  (Decomposition  of  terms)  If  b  e:r,  then  either  e  is 
a  value  or  it  can  be  decomposed  into  unique  E  and  r  such  that 
e  =  E  [r]. 

This  is  proved  by  induction  over  the  derivation  of  b  e :  r,  using 
Lemma  B.l  in  the  case  of  the  typecase  construct. 

Corollary  B.3  (Progress)  //be:  t,  then  either  e  is  a  value  or 
there  exists  an  e'  such  that  e  i— >  e! . 

Proof  By  Lemma  B.2,  we  know  that  if  b  e  :  r  and  e  is  not  a 
value,  then  there  exist  some  E  and  redex  ei  such  that  e  =  E  [ei]. 
Since  ei  is  a  redex,  there  exists  a  contraction  e 2  such  that  ei  e2. 
Therefore  e  1— >  e'  for  e'  =  E  [e2].  □ 

Lemma  B.4  If  b  E  [e] : t,  then  there  exists  a  t'  such  that  b  e\r  , 
and  for  all  e'  such  that  b  e! :  t'  we  have  b  E  [e'\ :  t. 
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Typerec[h-]  u°  of  (umt;  iat,  v^f) 
v  ::=  u°  |  int  |  — »  |  (— »)  v  |  (— »)vv' 

|  V  |  V[k]  V  [k]  v  |  V+  |  V+  v 

A  a :  k.  v,  where  W°.  v  7  v°  a  or  a  £  ftv(u°) 
Ax-  v,  where  .  v  7  v°  [x]  or  x  £  fkv(v°) 

Figure  24:  Normal  forms  in  the  A f  type  language 


Proof  The  proof  is  by  induction  on  the  derivation  of  b  E  [ e ]  :  r. 
The  different  forms  of  E  are  handled  similarly;  we  will  show  only 
one  case  here. 

•  case  E  =  E\e\'.  We  have  that  b  ( E\  [e] )  ei  :  r.  By  the 

typing  rules,  this  implies  that  b  Ei  [e] :  n  — >  r,  for  some  n. 
By  induction,  there  exists  a  t'  such  that  be:f  and  for  all  e' 
such  that  b  ebb,  we  have  that  b  E\  [ e'] : n  — >  t.  Therefore 
b  (Ei  \e'])  ei  :r.  □ 

As  usual,  the  proof  of  soundness  depends  on  several  substitu¬ 
tion  lemmas;  these  are  shown  below.  The  proofs  are  fairly  straight¬ 
forward  and  proceed  by  induction  on  the  derivation  of  the  judg¬ 
ments.  The  notion  of  substitution  is  extended  to  environments  in 
the  usual  way. 

Lemma  B.5  If£ ,  X  b  k  and  £  b  k1,  then  £  b  k{k' /x}- 

Lemma  B.6  If  £,  X;  A  b  r  :  k  and  £  b  n‘ ,  then  £\  A{/7/x}  b 
t{k'/x}  ■  k{k'/x}- 

Lemma  B.7  If  £ ,  x;  A;  Y  b  e  :  r  and  £  b  k,  then 
£\  A{k/x};  r{/v/x}  b  e{/v/x}  :  t{k/x}- 

Lemma  B.8  If  £;  A,  a  :  k'  b  r  :  k  and  £\  A  b  t  :  K  ,  then 
f;Ab  t{t' /a]  :  n. 

Lemma  B.9  If  £ ;  A,  a  :  /t;  T  b  e  :  r  an<r/  f;A  b  r  :  k,  then 
£;  A;  r{r'/a}  b  e{r'/a}  :  t{t'/o}. 

Proof  We  prove  this  by  induction  on  the  structure  of  e.  We 
demonstrate  the  proof  here  only  for  a  few  cases;  the  rest  follow 
analogously. 

•  case  e  =  ei  [n]:  We  have  that  f;A  b  t'  :  k.  and  also  that 
£ ;  A,  a  :  k\  T  b  ei  [ti]  :  r.  By  the  typing  rule  for  a  type 
application  we  get  that 

£ ;  A,  a:«;;  T  b  ei  :  V/3 :  ac i.  T2  and 
b;  A,a:/t  b  n  :  ki  and 
T  =  T2{ti//3} 

By  induction  on  ei, 

£ ;  A;  r{r'/a}  b  ei{r'/«}  :  V/3: ki.  T2{V/a} 

By  Lemma  B.8,  f;Ab  n{V /a]  :  K\ .  Therefore 
£;A;r{T7a}b(e1{r7a})[T1{r'/a}]  : 

(r2{r7a}){n{r7a}//3} 

But  this  is  equivalent  to 

£',  A;  T{t' /a}  b  (ei{r7a})  [njr'/a}]  : 

(T2{ri/7}){r7a} 


•  case  e  =  ei  [ki]+:  We  have  that  f;A,a:K;Tb  ei  [«i]+  :  r 
and  fjAbb  :  k.  By  the  typing  rule  for  kind  application, 

£ ;  A,  a:K\  F  b  ei  :  Vx-  ti  and 
t  =  ti{ki/x}  and 
£  b 

By  induction  on  ei, 

5;  A;  T  b  ei-jV/a}  :  Vx-n{r7a} 

Therefore 

£;A;rHei{T7a})M+  =  (n{r'/a}){K1/x} 

Since  x  does  not  occur  free  in  t' , 

(n{r7a}){/ti/x}  =  (-ri{Ki/x}){^7a} 

•  case  e  =  typecase[ro]  ti  of  (eint;  e^;  ev;  We 

have  that  £;A  b-  t'  :  ft  and  £;A,a  :  k;  T  b 
typecase[r0]  n  of  (eint;  e^;  ev;  e^f)  :  r0ri.  Using 
Lemma  B.8  on  the  kind  derivation  of  to  and  n,  and  the  in¬ 
ductive  assumption  on  the  typing  rules  for  the  subterms  we 
get, 

f;Ab  tq{t'  /a]  :  bl  — >  bl  and 

£;  A  b  ri-jV/ct}  :  bland 
f ;  A;  r{r7a}  b  eint{r7a}  :  (r0  intj-jV/a}  and 
£ ;  A;  Y{r' /a} Jr1  e->{r'/a}  : 

(Vai :  bl.  V«2  :  bl.  to  (ai  — >  a^jj-jV/o:}  and 
£ ;  A;  V{t'/o]  b  ev{V/o}  : 

(V+  X-  Va :  X  — »•  bl.  to  (V  [x]  a)){r7«}  and 
A;  T-jV/a}  b  e^{T'/a}  : 

(Va:Vx-  O.  ro  (V+a)){r7a} 

The  above  typing  judgments  are  equivalent  to 

£;AbTo{r7a:}  :  bl  — >  bl  and 
f;Abri{r7a}  :  bland 
£\  A;  T-jV/ct}  b  eintjV/a}  :  (to{t7«})  int  and 
f ;  A;  T-jV/ct}  b  e^{r' /a}  : 

Vai :  bl.  V«2  :  bl.  (ro{r7«})  (oi  — >  «2 )  and 

£ ;  A;  T-jV/ct}  b  evjV/ct}  : 

V+X-  Va:x  — >  bl.  (rojy/a})  (V  [x]  a)  and 
£;  A;  r{r7a}  b  e^{r' /a}  : 

Va:Vx-  bl.  (ro{r7o})  (V+a) 

from  which  the  statement  of  the  lemma  follows  directly.  □ 

Lemma  B.10  If  £\  A;  T,  x  :  t'  b  e  :  r  anrf  f;A;T  b  e1  :  t'  , 
then  £\  A\T  e{e' /x}  :  r. 

Proof  Proved  by  induction  over  the  structure  of  e.  The  different 
cases  are  proved  similarly.  We  will  show  only  two  cases  here. 

•  case  e  =  Aa  :k.v.  We  have  that 

£\  A;  F,  x  \t’  b  Act :  k.  v  :  Vartc.  rand 
£;  A;  r  b  e'  :  r' 

Since  e  can  always  be  alpha-converted,  we  assume  that  a  is 
not  previously  defined  in  A.  This  implies  £ ;  A,  a  :  k.;  F,  x  : 
rb»  :  r.  Since  a  is  not  free  in  e! ,  we  have  £ ;  A,  a :  k;  T  b 
e!  :  t  .  By  induction,  £\  A,  a :  k;  T  b  v{e' /x}  :  r.  Flence 
£\  A;F  b  v{e' /x)  :  Va:/t.  r. 

•  case  e  =  typecase[r0]  T\  of  (eint;  e^;  ev;  ev+):  ^ave 

that 

£ ;  A;  r  b  e!  :  r'  and 

£\  A;F,x:r'  b  typecase[r0]  n  of  (eint;  e^;  ev;  e^)  : 
to  n 

By  the  typecase  typing  rule  we  get 
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(kinds)  k 

::=  f)  /t  — >■  k'  x  1  Vx-  K 

(types)  t 

::=  int  |  — »  |  V  |  V+ 

a  Ax-t  Xa:K.T  \  t  [k]  tt‘ 
Typerec[K]  t  of  (Tint;  t^;  7v;  Tyf) 

Figure  25:  The  A  f  type  language 

£ ;  A  b  to  :  Q  —>  fl  and 

£ ;  A  b  n  :  £1  and 

£ ;  A;  F,  x:t'  b  emt  :  ro  int  and 

£ ;  A;r,i:r'he^  :  Vai : fL  Va 2  : O.  To  («i  — >  02)  and 
£ ;  A;  T,  x :  t'  b  ev  :  V+X-  Va :  x  — >  fb  ro  (V  [x]  a)  and 
£ ;  A;  T,  ®  :t'  b  e^r  :  Va:Vx-  fi.  to  (V+  a) 

Applying  the  inductive  hypothesis  to  each  of  the  subterms 
eint,  e_>,  ev,  yields  directly  the  claim.  □ 

Definition  B.ll  e  evaluates  to  e'  (written  e  1— >  e! )  if  there  exist  E, 
d,  and  e2  such  that  e  =  E  [ei]  and  e'  =  E  [62]  and  e\  e2. 

Theorem  B.12  (Subject  reduction)  If  b  e  :  t  and  e  1— >  e! ,  r/ien 
he':r. 

Proof  By  Lemma  B.2,  e  can  be  decomposed  into  unique  E  and 
unique  redex  ei  such  that  e  =  E  [ei] .  By  definition,  e!  =  E  [e2j 
and  ei  e2-  By  Lemma  B.4.  there  exists  a  r;  such  that  b  ei :  t' . 
By  the  same  lemma,  all  we  need  to  prove  is  that  b  e2  :  r'  holds. 
This  is  proved  by  considering  each  possible  redex  in  turn.  We  will 
show  only  two  cases,  the  rest  follow  similarly. 

•  case  ei  =  (fixtc:Ti.  v)  v'\  Then  e2  =  (v{(\xx:ti.  v/x})  v' . 
We  have  that  b  (fix  cc  :  n.  v)  v'  :  t'  .  By  the  typing  rules  for 
term  application  we  get  that  for  some  T2, 

\~  fix  tc :  ti  .  u :  T2  — >  t  and 
b  v'  :  T2 

By  the  typing  rule  for  fix  we  get  that, 

b  7*i  —  T2  — *  t'  and 

e;£;£,i:r2  ->  r1  b  t)  :  T2  — +  t' 

Using  Lemma  B.10  and  the  typing  rule  for  application,  we 
obtain  the  desired  judgment 

b  (u{fixa::Ti.  v/x))  v'  :r' 

•  case  ei  =  typecase[r()]  n  of  (eint ;  e^;  ev;  ev+):  If 
n  is  not  in  normal  form,  the  reduction  is  to  e2  = 
typecase[ro]  v\  of  (eint;  e^;  ev;  ey+),  where  s;e  b  n  1— >* 

:  O.  The  latter  implies  £;£  b  ron  =  ro  v\  :  S2,  hence 
b  e2  :  t'  follows  directly  from  b  ei :  t' . 

If  n  is  in  normal  form  ui ,  by  the  second  premise  of  the  typ¬ 
ing  rule  for  typecase  and  Lemma  B.l  we  have  four  cases  for 
.  In  each  case  the  contraction  has  the  desired  type  ro  v\ ,  ac¬ 
cording  to  the  corresponding  premises  of  the  typecase  typing 
rule  and  the  rules  for  type  and  kind  applications.  □ 

B.2  Strong  normalization 

The  type  language  is  shown  in  Figure  25.  The  single  step  reduction 
relation  (r  t')  is  shown  in  Figure  27. 

Lemma  B.13  If£-  A  b  r  :  k  and  r  t' ,  then  £;  A  b  t'  :  k. 


Proof  (Sketch)  The  proof  follows  from  a  case  analysis  of  the  re¬ 
duction  relation  (~>).  □ 

Lemma  B.14  Ifn  T2,  then  Ti{r/a}  T2{r/a}. 

Proof  The  proof  is  by  enumerating  each  possible  reduction  from 
n  to  T2. 

case  /3i:  In  this  case,  n  =  (A/3 :  ac.  t')  t"  and  T2  =  t'{t" /f3}. 
This  implies  that 

n{r/a}  =  (A (3\ k.t' {r / a})  t" {t / a} 

This  beta  reduces  to 

(r'{r/a}){r"{r/a}//3} 

Since  (3  does  not  occur  free  in  r,  this  is  equivalent  to 

{r  {t" / /3}){t / a} 

case  32:  In  this  case,  n  =  (A x- t')  [k]  and  T2  =  t'{k/\}. 
We  get  that 

n{r / a}  =  (A X-t'{t/o})  [k] 

This  beta  reduces  to 

t'{t/«}Wx} 

Since  x  is  not  free  in  r,  this  is  equivalent  to 

('r,Wx})W«} 

case  T]i :  In  this  case,  ti  =  A/3  :k.t'  (3  and  T2  =  t'  and  (3  does 
not  occur  free  in  t'  .  We  get  that 

ri{r/a}  =  A/3 :  k.  (t  {r/a})  (3 

Since  this  is  a  capture  avoiding  substitution.  /3  still  does  not  occur 
free  in  r'{r/a}.  Therefore  this  eta  reduces  to  t' {t /a}. 

case  772:  In  this  case,  ti  =  Ax-  t'  [x]  and  T2  =  t'  and  x  does 
not  occur  free  in  t'  .  We  get  that 

n{r / a}  =  Ax-  (t'{t/q})  [x] 

Since  this  is  a  capture  avoiding  substitution,  x  still  does  not  occur 
free  in  t'  {r/a}.  Therefore,  this  eta  reduces  to  t' {r/a}. 

case  h:  ti  =  Typerecffij  int  of  (rint;  t^;  rv;  t^)  and 
T2  =  Tint.  We  get  that 

n{r/a}  = 

Typerec[K]  int  of 

(TintWa};  r^{r/a};  tv{t/q};  rv+{r/a}) 

But  this  reduces  by  the  fi  reduction  to  Tint-jV/a}. 

case  t.2\  ti  =  TypereW]  (r'  — >  t")  of  (rint;  t^;  tv;  T^f) 

and 

r2  =  t_*  t' t"  (Typerec[K]  r'  of  (rint;  r^;  rv;  rv+)) 
(Typerec[ft]  r"  of  (rint;  r^;  rv;  rv+)) 

We  get  that 

n{r/a}  = 

Typerec[«]  (t1  {r/a}  — >  t" {r/a})  of 

(TintWa};  t^{t/o}\  7 v{T/a};  t^{t/o}) 

This  reduces  by  t2  to 

t^{t/q]  ( t'{t/oi })  ( t"{t/o. }) 

(Typerec[K]  (t' {t/o})  of 

(Ti„tWa};  T-W/a};  M t/o };  Tv+Wa})) 

(Typerec[ft]  (T"{T/a})  of 

(WW};  r-W/a};  tvW«};  t^It/o})) 
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But  this  is  syntactically  equal  to  T2{t/q}. 

case  f3:  Ti  =  Typerec[«;]  (V  [«']  r')  of  (7int;  r_>;  rv;  r  +)  and 

r2  =  rv  [k']  t'  (\(3 :  k' .  Typerec[ft]  (r'  (3)  of  (rint;  r_»;  rv;  r^)) 

We  get  that 

ri{r/a}  = 

Typerec[«]  (V  [«/]  r'{r/a})  of 

(rint{r / a};  r_{r/a};  rv{r/a};  rv+{r/a}) 

This  reduces  by  f3  to 

rv{r/a}  [«']  (r'{r/a}) 

(A/3:k'.  Typerec[/i]  ((r'{r/a}) /3)  of 
(rint{r/a};  r^-jr/a};  ry-jr/a};  r^{r/a})) 

But  this  is  syntactically  equivalent  to  r2{r/a}. 

case  ti\  n  =  Typerecf^]  (V+  r')  of  (Tint;  tv;  tl*)  and 

r2  =  rv f  r'  (Ax-  Typerec[h']  (r  [x])  of  (rint;  r^;  rv;  r^)) 

We  get  that 

ti{t /a}  = 

Typerec[/-c]  (V+r'{r/a})  of 

(rint{r/a};  r^{r/a};  tv{t/q};  rv+{r/a}) 

This  reduces  by  ti  to 

Tyfjr/a}  (r'{r/a}) 

(Ax-  Typerec[«:]  ((r'-jr/a})  [x])  of 
(rint{r/a};  r^{r/a};  rv{r/a};  rv+{r/a})) 

But  this  is  syntactically  equal  to  T2{t/ a}.  □ 

Lemma  B.15  If  t\  ^  72,  then  ti{k/ /x'}  ^  T2  K/X'}. 

Proof  This  is  proved  by  case  analysis  of  the  type  reduction  rela¬ 
tion. 

case  j3i‘.  In  this  case,  ri  =  (A/3:k.  t')  t"  and  r2  =  t'{t" /(3}. 
This  implies  that 

ti{k'/  x'}  =  {W-kW/x}-t'{k'/x})t"{k!/x} 

This  beta  reduces  to 

7x'}){r"{«7x'}//3} 

But  this  is  equivalent  to 

(t'{t"/P})W/x} 

case  fo:  In  this  case,  n  =  (A X-r')  [ft]  and  T2  =  r'{ft/x}- 
We  get  that 

ti{«7x'}  =  (Ax.t'{k7x'})  [«{«7x'}1 

This  beta  reduces  to 

t'{«7x'}{«{«7x'}/x} 

Since  x  is  not  free  in  ft',  this  is  equivalent  to 

(t'Wx}){«7x'} 


case  r/i :  In  this  case,  ri  =  A/3  :k.t'  (3  and  T2  =  t'  and  (3  does 
not  occur  free  in  t'  .  We  get  that 

TiK/x'}  =  A/3:k{k7x'}-  7'{«7x'})/5 

Again  /3  does  not  occur  free  in  t'{k//x/}-  Therefore  this  eta  re¬ 
duces  to  r,{tv7x/}- 

case  772 :  In  this  case,  ri  =  Ax-  t'  [x]  and  T2  =  t'  and  x  does 
not  occur  free  in  t'  .  We  get  that 

ri{«7x'}  =  Ax-  (r'{«7x'})  lx] 

Since  this  is  a  capture  avoiding  substitution,  x  still  does  not  occur 
free  in  r'{ft 7x7-  Therefore,  this  eta  reduces  to  t'{k 7x7- 

case  1. 1:  r  1  =  Typerec[«]  int  of  (rint;  r^;  ry;  r^)  and 
T2  =  Tint.  We  get  that 

ti{«7x'}  = 

Typerec[ft{ft,/x,}]  'nt  °f 

(Tint{K7x'};  -r_>{«7x'};  'tv-jV/x'};  v77x'}) 

But  this  reduces  by  the  fi  reduction  to  rint{f^7x,}• 

case  t2:  n  =  Typerec[ft]  (r'  — >  r")  of  (rint;  r^;  rv;  rv+) 

and 

t2  =  7"—*  t  t"  (Typerec[ft]  r'  of  (Tint;  r_^;  rv;  r^)) 
(Typerec[ft]  t"  of  (rint;  r_^;  rv;  ryf)) 

We  get  that 

"Ti07x'}  =  Typerec[ft{ft7x'}]  7'{«7x'}  f"{«7x'})  of 

(VintlK'/x'};  'r-{«7x'};  w-iy/x'};  v77x'}) 

This  reduces  by  £2  to 

f-{«7x'}  7'{«7x'})  7"{«7x'}) 

(Typerec[K,{K//x'}]  (r'{«7x'})  of 

(rint { tc// x! } ;  tS{k' /x'}\  t-vI^/x'};  Vt^/x'})) 

(Typerec[ft{ft'/x'}]  (t"{k'/x'})  of 

(Tintl/t'/x'};  r-^(K7x'};  w{y/x'};  v77x'})) 

But  this  is  syntactically  equal  to  T2{k7x/}- 

case  f3:  n  =  Typerecfft]  (V  [fti]  t')  of  (Tint;  r^;  7v;  r^) 

and 

r2  =  tv  [fti]  t'  (XP'.Ki.  Typerec[ft]  (r'  /3)  of  (rint;  rv;  r^)) 

We  get  that 

ti{k7x'}  = 

Typerec[K-jV/x'}]  (V  [ftijV/x'}]  r'{K7x'})  of 
(Tint{«7x'};  t^{k7x'};  7x7;  vK/x'}) 

This  reduces  by  f3  to 

rvK/x'}  [«i{«7x'}]  (t'{«7x'}) 
(A^i/til^/x'l-TypetecW^'/x'}]  ((t'W/x'})  P)  of 
("nnt{/t7x'};  f-{«7x'};  tv{«7x'};  vtK7x'})) 

But  this  is  syntactically  equivalent  to  T2{K7x,}■ 

case  ti :  n  =  Typerec[/r]  (V  r')  of  (rint;  r^;  rv;  r^f)  and 

r2  =  tv f  r'  (Ax-  Typerec[/i]  (r  [x])  of  (rint;  r^;  tv;  r^)) 

We  get  that 

TijV/x'}  = 

Typerec[K{/v7x'}]  (vV{k7x'})  of 
(rint-jV/x'};  r-^i^/x'};  tv{k7x'};  v77x'}) 
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This  reduces  by  £4  to 

vK/x'}  O-V/x'}) 

(Ax-Typerec[/t{K'/x'}]  ((t'Ik'/x'I)  [x])  of 
(7int{KVx'};  t-*{«7x'};  w{k'/x'};  vtKVx'})) 

But  this  is  syntactically  equal  to  T2{k'/x'}.  a 

Definition  B.16  A  type  r  is  strongly  normalizable  if  every  reduc¬ 
tion  sequence  from  t  terminates  into  a  normal  form  ( with  no  re- 
dexes).  We  use  v(t)  to  denote  the  length  of  the  largest  reduction 
sequence  from  r  to  a  normal  form. 

Definition  B.17  We  define  neutral  types,  n,  as 
no  ::  =  Ax-  r  |  Aot.k.t 
n  ::=  a  \  no  r  |  n  r  |  no  [k]  «[k] 

|  Typerec[ft]  r  of  (Tint;  t_>;  tv;  Tyt-) 

Definition  B. 18  A  reducibility  candidate  (also  referred  to  as  a 
candidate)  of  kind  k  is  a  setC  of  types  of  kind  k  such  that 

1.  ifr  £  C,  then  r  is  strongly  normalizable. 

2.  if  t  £  C  and  r  t' ,  then  t'  £  C. 

3.  ifr  is  neutral  and  if  for  all  t'  such  that  t  t'  ,  we  have  that 

T  £  C,  then  t  £  C. 

This  implies  that  the  candidates  are  never  empty  since  if  a  has 
kind  K,  then  a  belongs  to  candidates  of  kind  k. 

Definition  B.19  Let  n  be  an  arbitrary  kind.  Let  CK  be  a  candi¬ 
date  of  kind  k.  Let  be  a  candidate  of  kind  LI  —> 

LI  — >  k  —>  k  —>  k.  Let  CVx.  /x^n)_>(x_>K)_>K  be  a  candidate  of 
kind  Vx-  (X  — >  LI)  ->  (x  -*•  k)  ->  «•  Let  C(Vx.  n)— (v*.  *)->*  be  a 
candidate  of  kind  (Vx-  LI)  — >  (Vx-  k)  — »  ft-  Ike  f/te«  define  the  set 
Ret  of  types  of  kind  LI  as 
t  £  Rn  iff 
Vrint  £  CK 
Vt.^  £ 

Vrv  £  Cyx.  (x^n)^(x^K)^K, 

Vv  ^  ^(vx.  nj->(vx- 

=>  Typerec[/t]  r  of  (-rtnt;  T->;  tv;  Tyf)  G  Cre 
Lemma  B.20  _Rn  w  a  candidate  of  kind  LI. 

Proof  Suppose  t  £  Rn.  Suppose  Tint,  t_>,  tv,  and  tv+  belong  to 
f-tt,  Cq— >/s— >k— >k>  Cyx  (X — ,Q) — >(x— »k;) — -tt,  f^(VX.  H)— ,(VX.  tt)— 

respectively,  where  the  candidates  are  of  the  appropriate  kinds  (see 
definition  B.19). 

Consider  t'  =  Typerec[/t]  t  of  (Tint;  t_>;  tv;  Tyt-).  By  defi¬ 
nition  this  belongs  to  CK.  By  property  1  of  definition  B.18,  t'  is 
strongly  normalizable  and  therefore  t  must  be  strongly  normaliz¬ 
able. 

Consider  t'  =  Typerec[«]  t  of  (Tint;  t_>;  7v;  Tyt-).  Suppose 
t  ti.  Then  r'  Typerec[tt]  ti  of  (Tint;  t_»;  tv;  Tyt-).  Since 
t'  £  CK,  Typerec[«]  n  of  (-Tint;  t_>;  7v;  t^v)  belongs  to  CK  by 
property  2  of  definition  B.18.  Therefore,  by  definition,  ti  belongs 
to  Ret. 

Suppose  t  is  neutral  and  for  all  ti  such  that  t  Ti,  n  £ 
Ra.  Consider  t'  =  Typerec[ft]  t  of  (Tint;  t_,;  tv;  Tyt-).  Since 
we  know  that  Tint,  t_,,  tv,  and  Tyf  are  strongly  normalizable,  we 
can  induct  over  len  =  v(T\nt)  +  z/(t_>)  -(-  i/(iy)  +  iz(tv+).  We  will 
prove  that  for  all  values  of  len ,  Typerec[«]  t  of  (Tint;  T-^>;  tv;  Tyt-) 
always  reduces  to  a  type  that  belongs  to  CK;  given  that  Tint,  t_>,  rv, 
and  Tyf  belong  to  C^,  Cft — ,0 — — *k — ,/t,  Cyx  (x — — ,(x — and 
C(vx.  n)-»(vx.  respectively  (see  definition  B.19). 


•  len  =  0  Then  t'  Typerec[fr]  ti  of  (Tint;  T-^»;  tv;  Tyf)  is 
the  only  possible  reduction  since  t  is  neutral.  By  the  assump¬ 
tion  on  ti,  this  belongs  to  CK. 

•  len  =  k  +  1  For  the  inductive  case,  assume  that  the 

hypothesis  is  true  for  len  =  k.  That  is,  for  len  =  k, 
Typerec[«]  t  of  (Tint;  Tf»;  tv;  Tyf)  always  reduces  to  a 
type  that  belongs  to  CK;  given  that  Tint,  t_>,  tv,  and 
Tyf  belong  to  CK,  Cet—*n — Cyx.  (x— >q) — >(x— »«;) — .tt, 
and  C(\/x,  et)^(vx.  k)->k  respectively.  This  implies  that  for 
len  =  fc,  Typerec[«]  t  of  (Tint;  t_*;  tv;  Tyf)  belongs  to 
CK  (by  property  3  of  definition  B.18).  For  len  =  k  +  1, 
consider  r  =  Typerec[«]  t  of  (Tint;  tv;  t/-). 
This  can  reduce  to  Typerec[«]  ti  of  (Tint;  tv;  t^v) 
which  belongs  to  CK.  The  other  possible  reductions  are 
Typerec[/r]  t  of  (t^;  t^;  tv;  tv f)  where  Tnt  7nt,  or 

Typerec[«;]  t  of  (Tnt!  i"7;  tv;  Tyf)  where  t^  t7,  or 

Typerec[«;]  t  of  (Tint;  t^;  t^;  tv+)  where  tv  Ty,  or 

Typerec[«;]  t  of  (Tint;  t^;  tv;  t^.)  where  tv+  t^.  By 
property  2  of  definition  B.18,  each  of  Tnt,  t7,  Ty,  and  t7_ 
belongs  to  the  required  candidate  and  len  =  k  for  each  of  the 
reducts.  Therefore,  by  the  inductive  hypothesis,  each  of  the 
reducts  belongs  to  CK. 

Therefore  Typerec[r']  t  of  (Tint;  Ty;  tv+)  always  reduces 
to  a  type  that  belongs  to  CK.  By  property  3  of  definition  B.18, 
Typerec[7]  t  of  (Tint;  i"^;  Ty;  t  +)  also  belongs  to  CK.  Therefore, 
t  €  Ret  □ 

Definition  B.21  Let  Ci  and  C2  be  two  candidates  of  kinds  ki  and 
K2.  We  then  define  the  set  Ci  — >  C2,  of  types  of  kind  m  — >  K2,  as 

T  £  Ci  — >  C2  iff  Vt'(t'  £  Ci  =>  T  t'  £  C2) 

Lemma  B.22  lfC\  and  C2  are  candidates  of  kinds  k  1  and  k  2,  then 
Ci  — >  C2  is  a  candidate  of  kind  Ki  — >  rt2. 

Proof  Suppose  t  of  kind  k  1  — >  K2  belongs  to  Ci  — >  C2.  By  def¬ 
inition,  if  t1  £  Ci,  then  rr'  £  C2.  Since  C2  is  a  candidate,  tt'  is 
strongly  normalizable.  Therefore,  t  must  be  strongly  normalizable 
since  for  every  sequence  of  reductions  t  ti  . . .  Tk  ■  ■ .,  there  is  a 
corresponding  sequence  of  reductions  t  t'  t\t'  . .  .TkT  . . .. 

Suppose  t  of  kind  /ti  — >  K2  belongs  to  Ci  — >  C2  and  r  t' . 
Suppose  ti  £  Ci.  By  definition,  tti  £  C2.  But  tti  t'ti.  By 
using  property  2  of  definition  B.18  on  C2,  t'  ti  £  C2;  therefore, 
r'  £  Ci  ^C2. 

Consider  a  neutral  t  of  kind  m  —>  K2-  Suppose  that  for  all  r' 
such  that  t  t\  t'  £  Ci  — >  C2.  Consider  tti  where  ti  £  Ci. 
Since  ti  is  strongly  normalizable,  we  can  induct  over  i/(ti).  If 
fc'(Ti)  =  0.  then  tti  t'ti.  But  t'ti  £  C2  (by  assumption 
on  t'),  and  since  t  is  neutral,  no  other  reduction  is  possible.  If 
v (ti)  7  0,  then  ti  r[.  In  this  case,  tti  may  reduce  to  either 
t'  ti  or  to  t  t[.  We  saw  that  the  first  reduct  belongs  to  C2.  By 
property  2  of  definition  B.18,  r[  £  Ci  and  v(t[)  <  v(ti).  By 
the  inductive  assumption  over  v(t\),  we  get  that  ttJ  belongs  to 
C2.  By  property  3  of  definition  B.18,  tti  £  C2.  This  implies  that 
t  <=  Ci  -v  C2.  □ 

Definition  B.23  We  use  x  to  denote  the  set  x  1 ,  -  •  - ,  Xn  of  x-  Wfe 
use  a  similar  syntax  to  denote  a  set  of  other  constructs. 

Definition  B.24  Let  /c[x]  be  a  kind  where  X  contains  all  the  free 
kind  variables  of  k.  Let  k  be  a  sequence  of  closed  kinds  of  the 
same  length  and  C  be  a  sequence  of  candidates  of  the  correspond¬ 
ing  kind.  We  now  define  the  set  <Sre[C/x]  of  types  of  kind  k{k/X} 
as 
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1.  if  rt  =  Fl,  then  5«[C/X]  =  Rn- 

2.  if  k  =  Xi,  then  SK[C/\ ]  =  C;. 

3.  if  k  =  ki  — ►  K2,  then  5«[C/X]  =  5K1  [C/x]  — >  5k2  [C/x]- 

4.  if  k  =  Vx- then  5K[C/X]  =  set  of  types  r  of  kind 
k{k/x}  such  that  for  every  kind  k"  and  reducibility  candi¬ 
date  C"  of  this  kind,  t  \k"]  £  Sk*  [C,  C" /X,  x]- 

Lemma  B.25  5re  [C /x]  is  a  reducibility  candidate  of  kind  k{k/x}- 

Proof  For  k  =  S2,  the  lemma  follows  from  lemma  B.20.  For 
k  —  X->  the  lemma  follows  by  definition.  If  k  =  Ki  — >  K2,  then 
the  lemma  follows  from  the  inductive  hypothesis  on  ki  and  k2  and 
lemma  B.22.  We  only  need  to  prove  the  case  for  k  =  \?x' ■  K'.  We 
will  induct  over  the  size  of  k  with  the  X  containing  all  the  free  kind 
variables  of  k. 

Consider  a  r  £  5yx'.  Ki  [C/x]-  By  definition,  for  any  kind  Ki 
and  corresponding  candidate  C ,  r  [ki]  £  Sk>[C,C' /x,x!]-  Ap¬ 
plying  the  inductive  hypothesis  on  n' ,  we  get  that  SK>  [C,C' /X,  x!\ 
is  a  candidate.  Therefore,  r  [ki]  is  strongly  normalizable  which 
implies  that  t  is  strongly  normalizable. 

Consider  a  r  G  5Vx'.  K>  [C/x]  and  r  n.  For  any 
kind  ki  and  corresponding  candidate  C' ,  by  definition,  r  [«i]  G 
SKi  [C,C /x ,  X']-  But  t  [ki]  n  [ki].  By  the  inductive  hypoth¬ 
esis  on  we  get  that  SK>  [C,  C/x,  x']  is  a  candidate.  By  prop¬ 
erty  2  of  definition  B.18,  n  [k-i]  G  5k'  [C,  C/x,  x']-  Therefore, 
n  G  SVx'. K' [C/x]- 

Consider  a  neutral  r  so  that  for  all  n,  such  that  r  ~t-  n, 
n  G  .  k'  [C/x]-  Consider  r  [ki]  for  an  arbitrary  kind  ki  and 
corresponding  candidate  C'.  We  have  that  r  [ki]  n  [ki].  This  is 
the  only  possible  reduction  since  r  is  neutral.  By  the  assumption  on 

r i  n  [ki]  G  MC,C7x,x']-  By  inductive  hypothesis  on  k', 
we  get  that  SK>  [C,  C/x,  x']  is  a  candidate.  By  property  3  of  defini- 
tion  B.18,  r  [ki]  G  5re'  [C,C'/x,  xi-  Therefore  r  G  5Vx'.  [C/X]- 
□ 

Lemma  B.26  SkW/x>}  [C/x]  =  5K  [C,  5«'  [C/x]/X,  x'] 

Proof  The  proof  is  by  induction  over  the  structure  of  k.  We 
will  show  only  the  case  for  polymorphic  kinds,  the  others  fol¬ 
low  directly  by  induction.  Suppose  k  =  Vx”-  n" .  Then 
the  LHS  is  the  set  of  types  r  of  kind  i^x"  ■  K"{n' /x!}){R/x} 
such  that  for  every  kind  k"'  and  corresponding  candi¬ 
date  C" ,  t  [«'"]  belongs  to  5k"{k'/x'}  [C,  C'"/X,  x!']-  Ap¬ 
plying  the  inductive  hypothesis  to  k"  ,  this  is  equal  to 
5k//  [C,  C’”,Sk>  [C,  C" lx,  x"]fx,  X",  X']-  But  x"  does  not  occur 
free  in  k1  (variables  in  k'  can  always  be  renamed).  Therefore, 
r  [«'"]  belongs  to  5re"  [C,  C"' ,  SKi  [ C/X\/x ,  x" ,  x']-  The  RHS  con¬ 
sists  of  types  t'  of  kind  (Vx”-  k"){k,  k! {k/x }/x>  x'}  such  that 
for  every  kind  k"  and  corresponding  candidate  C'" ,  t'  [k!"]  be¬ 
longs  to  5K/^[C,5re/[C/x],C"'/x!X^X,,]•  Also,  the  kind  of  r'  is 
equivalent  to  (Vx”-  tt' {tf  /x!}){F/x}-  1=1 

Proposition  B.27  From  lemma  B.25,  we  know  that  5K[C/x] 
is  a  candidate  of  kind  k{k/x},  that  Sn^n^K^K^n  [C/x] 
is  a  candidate  of  kind  (fi  — >  fi  — >  k  —>  k  ^ 
K){«/x}-  that  5Vx.  (x^n)^(x^K)^K[C/X]  is  a  can¬ 
didate  of  kind  (Vx-  (x  — >  Cl)  — >  (x  —> ►  k)  — >  k){k/x}, 
and  5(vx.  fi)^(vx.  k)^k[C/x]  is  a  candidate  of  kind 
((Vx-fl)  — >  (Vx- k)  — >  k){k/x}-  In  the  rest  of  the  sec¬ 
tion,  we  will  assume  that  the  types  r\„i,  r rv,  and  t^a-  belong  to 
the  above  candidates  respectively. 


Lemma B.28  int  £  Rn  =  Sn[C/x] 

Proof  Consider  r  =  Typerec[K{K/x}]  int  of  (rint;  r^;  rv;  r^f). 
The  lemma  holds  if  Typerec[K{it/x}]  int  of  (Vint;  r^;  rv;  r^f) 
belongs  to  Sk[C/k]  is  true;  given  that 
rint  e  SK[C/X\ ,  and  r^  G  5n^n_K^K_«[C/x], 

and  rv  G  5Vx.  (x_n)_(x_>K)_K[C/x],  and 

V  ^  5(vx-  k)^k.  [C/X]- 

Since  rint,  r_,,  rv,  and  r^r  are  strongly  normaliz¬ 
able,  we  will  induct  over  len  =  v(Tm\)  +  o(t^)  + 
tz(rv)  +  o(r  +).  We  will  prove  that  for  all  values  of  len, 
Typerec[K{K/x}]  intof(rint;  r^;  rv;  r^f)  always  reduces  to  a 
type  that  belongs  to  CK ;  given  that  the  branches  belong  to  the  can¬ 
didates  as  in  proposition  B.27. 

•  len  —  0  Then  Typerec[«{K/x}]  int  of  (rint;  r^;  rv;  r^f) 
can  reduce  only  to  t,„ t  which  by  assumption  belongs  to 

Sk\P/K]. 

•  len  =  k  +  1  For  the  inductive  case,  assume  that 

the  hypothesis  holds  true  for  len  =  k.  That  is,  for 

len  =  k,  Typerec[K{7t/x}]  int  of  (rint;  r^;  rv;  r  +) 

always  reduces  to  a  type  that  belongs  to  <SK[C/x]; 
given  that  7mt,  r_>,  rv,  and  r^r  belong  to  <SK[C/x], 

*k,— [C/x] ,  *^vx.  (x — -ri) — -(x — -k.) — -tc[C/x],  and  to 
<S(vx.  n)-.(vx.  k)->k[C/x]-  This  implies  that  for  len  =  k, 
the  type  Typerec[«{7t/x}]  int  of  (rint;  r^;  rv;  r^) 

belongs  to  SK[C/x\  (by  property  3  of  definition  B.18). 
For  len  =  k  +  1.  r  can  reduce  to  rint  which  be¬ 
longs  to  5K [C/x]-  The  other  possible  reductions  are 
to  Typerec[K{K/x}]  int  of  (r^;  r^;  rv;  rv+)  where 
rint  "Tint,  or  to  Ty perec ]k{k/x}]  int  of  (rint;  r7;  rv;  rv+) 
where  r^  tL,,  or  to 

Typerec[K{7f/x}]  int  of  (rint;  r^;  ry;  r^r)  where  rv  Ty, 
or  to  Typerec[K.{Ki/x}]  int  of  (rint;  r^;  ry;  r^_)  where 
r^f  t'+.  By  property  2  of  definition  B.18,  each  of  r(nt, 
r7,  Ty,  r^+  belongs  to  the  same  candidate.  Moreover, 
(en  =  fc  for  each  of  the  reducts.  Therefore,  by  the  inductive 
hypothesis,  each  of  the  reducts  belongs  to  <SK  [C /x]- 

Therefore,  Typerec[K{it/x}]  int  of  (Tint;  r^;  rv;  r^)  always  re¬ 
duces  to  a  type  that  belongs  to  <SK[C/x]-  By  property  3  of  defi¬ 
nition  B.18,  Typerec[K{/t/x}]  int  of  (rint;  r_>;  Ty;  rv+)  also  be¬ 
longs  to  5K [C/x]-  Therefore,  int  G  Rn-  □ 

Lemma  B.29  — *  £  Rn  — >  =  5n_>r2_>n[C/x]- 

Proof  — »  G  Rn  — >  — >  Rn  if  for  all  n  G  Rn, 

we  get  that  ( — »)n  G  7?n  — >  This  is  true  if  for  all 

r 2  G  f?n,  we  get  that  (— »)ti  T2  G  -Rn-  This  is  true  if 
Typerec[K{7c/x}]  (— »)rir2  of  (rint;  r.^;  rv;  r^r)  belongs  to 
5k  [C/x]  is  hue  with  the  conditions  in  proposition  B.27.  Since  n, 
r2,  Tint,  T-t,,  rv,  and  r  +  are  strongly  normalizable,  we  will  induct 
over  len  =  v(n)  +  tz(r2)  +  u(r\nt)  +  v(r _►)  +  ^(ry)  +  tz(r^). 
We  will  prove  that  for  all  values  of  len,  the  type 
Typerec[K{7c/x}]  ((— »)nr2)  of  (rint;  r_»;  rv;  ryf)  always 
reduces  to  a  type  that  belongs  to  SK  [C/x];  given  that  n  G  Rn,  and 
r2  G  Rn,  and  rmt  G  5K[C/x],  and  r^  G  5n^n— k^k—k[C/x], 
and  7V  G  5v^xx_>n)_(x_>K)_«[C/x],  and 

V  G  5(Vx-  n)-(Vx-  k)-«[C/X]-  Consider 

r  =  Typerec[K{«/X}]  ((-*)ri  r2)  of  (rint;  r^;  rv;  rv+). 
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•  len  =  0  The  only  reduction  of  r  is 

r'  =  T—t  n  T2  (Typerec[K{fi/x}]  n  of  (rin t;  t_*;  7v;  tv f)) 
(Ty perec [k{7c/x}]  t2  of  (rmt;  rv;  tv f)) 

Since  both  n  and  t2  belong  to  Ret, 
Typerec[«{7c/x}]  ri  of  (rint;  rv;  r^)  and 
Typerec[K{«/X}]  r2  of  (rint;  r_^;  7v;  T^r)  belong  to 
5k  [C /X]  •  This  implies  that  t'  also  belongs  to  SK  [C /X]  • 

•  len  =  k  +  1  The  other  possible  reductions  come  from  the 
reduction  of  one  of  the  individual  types  n,  t2,  Tint,  r 7V, 
and  rv+.  The  proof  in  this  case  is  similar  to  the  proof  of  the 
corresponding  case  in  lemma  B.28. 

Since  r  is  neutral,  by  property  3  of  definition  B.18,  r  belongs  to 

5*  [C/X]-  ° 

Lemma  B.30  If  for  all  n  £  5K1[C/X],  r{n/a}  £  5k2[C/X], 
then  Aa:/vi{tc/X}-'r  £  <Sk1^k2  [C/X]- 

Proof  Consider  the  neutral  type  r'  =  (Aa  :  Ki{H/x}.  t)  n. 
We  have  that  ti  is  strongly  normalizable  and  t{cx  /a}  is  strongly 
normalizable.  Therefore,  r  is  also  strongly  normalizable.  We 
will  induct  over  len  =  v(t)  +  v(ti).  We  will  prove  that  for 
all  values  of  len ,  the  type  (Aa:Ki{7f/X}- t)  n  always  reduces 
to  a  type  that  belongs  to  5k2  [C/X];  given  that  n  6  SK1  [C/X]  and 
r{n/a}  €  <S*2.[C/X]. 

•  len  =  0  There  are  two  possible  reductions.  A  beta  reduction 
yields  r{n/a}  which  by  assumption  belongs  to  <SK2[C/X]- 
If  r  =  To  a  and  a  does  not  occur  free  in  to.  then  we  have  an 
eta  reduction  to  to  ti.  But  in  this  case  r{ri/a}  =  To  ri. 

•  len  =  k  +  1  For  the  inductive  case,  assume  that  the  hypoth¬ 
esis  is  true  for  len  =  k.  There  are  two  additional  reduc¬ 
tions.  The  type  t'  can  reduce  to  (Aa :  ki{k/X}-  t)  t"  where 
ti  t".  By  property  2  of  definition  B.18,  r"  belongs  to 
5ki  [C/X]-  Therefore,  t{t" /a}  belongs  to  SK2  [C/X]-  More¬ 
over,  len  =  k.  By  the  inductive  hypothesis,  (Xa:  ki.t)  t” 
always  reduces  to  a  type  that  belongs  to  SK2  [C/X]-  By  prop¬ 
erty  3  of  definition  B.  18,  (Aa :  K\ .  r)  r"  belongs  to  SK2  [C /X]- 

The  other  reduction  of  t1  is  to  (Aa  :  Ki{k/x}-t")  t\  where 
t  t" .  By  lemma  B.14,  T{Ti/a}  t"{t\/o}.  By 

property  2  of  definition  B.18,  t”{ti  /a}  £  SK2  [C/X]-  More¬ 
over,  len  =  k  for  the  type  t' .  Therefore,  by  the  inductive 
hypothesis,  (Aa :  ki{k/x}- t")  ti  always  reduces  to  a  type 
that  belongs  to  <SK2[C/X]-  By  property  3  of  definition  B.18, 
(Aa:/ti{7t/X}- t")  ti  belongs  to  <SK2  [C/X]- 

Therefore,  the  neutral  type  r1  always  reduces  to  a  type  that  belongs 
to  SK2  [C/X]-  By  property  3  of  definition  B.18,  t'  £  SK2  [C /X] • 
Therefore,  Aa  :  ki{k/X}-t  belongs  to  5K1  [C/x]  — >  SK2[C/X\. 
This  implies  that  Aa :  Ki {k/x}-  t  belongs  to  SK1^K2  [C/X]-  1=1 

Lemma  B.31  V  6  <SVx.  (x— n)— n[C/X]- 

Proof  This  is  true  if  for  any  kind  tti{/t/x}, 
V[ki{k/X}]  €  <5(x->f2)-»n P,  Ck!  /Xi  X] •  This  implies  that 

V[ki{k/X}]  G  Sx^n  [C,  CK1  /X,  x]  <Sn[C,CK1/X,x] 

This  is  true  if  for  all  t  €  Sx->n[C,CK1/x ,  x]>  it 
is  true  that  V  [ki {k/X}]  t  G  <Sn[C,CK1/X,  x]-  This 


implies  that  V  [ki{k/x}]  t  £  f?n.  This  is  true  if 

Typerec[K{lt/X}]  (V  [ki{k/X}]  t)  of  (7int;  t_;  ry;  v) 
belongs  to  <SK[C/X]  is  true  with  the  conditions  in  proposition  B.27. 
Since  each  of  the  types  t,  Tint,  t_,,  tv,  and  tv+  belongs  to 
a  candidate,  they  are  strongly  normalizable.  We  will  induct 
over  len  =  v(t)  +  v(r\nl)  +  v(t->)  +  zz(rv)  +  ^(tv+). 
We  will  prove  that  for  all  values  of  len,  the  type 

Typerec[K{7t/X}]  (V  [ki{k/x}]  t)  of  (rint;  t^;  tv;  tv+) 
always  reduces  to  a  type  that  belongs  to 

5k[C/X];  given  that  t  €  <Sx^n[C,  CK1/x,  x]>  and 
Tnt  €  5re[C/X],  and  t_  6  5n— n— K[C/X], 

and  tv  G  5Vx.  (x-,n)^(x^K)^K[C/X],  and 

V  G  5(Vx.  n)-.(vx.  «)-»«[C/x].  Consider 

t'  =  Typerec[/-c{K/X}]  (V[ki{k/X}]  t)  of  (Tint;  T-.;  tv;  t^) 

•  len  =  0  Then  the  only  possible  reduction  of  t  is 

t[  =  tv  [ki{k/X}]  t  _ 

(Aa:Ki{lt/X}- Typerec[K{7f/x}]  to  of  (-Tint;  t-»;  tv;  t/-)) 

Consider  t"  =  Typerec[K.{75/X}]  to  of  (Tint!  t^;  tv;  t +). 
For  all  ti  £  CK1,  the  type  T”{Ti/a}  reduces  to 
Typerec[K{7f/X}]  tti  of  (ti,*;  t^;  tv;  t^).  By  as¬ 
sumption,  T  belongs  to  SX[C,  C^/x,  x]  — >  <Sn[C,CK1/X,x]- 
Therefore,  t  belongs  to  CK1  — t  which  implies  that  tti  £ 

Rn-  Therefore  Typerec[K{7r/X}]  tti  of  (Tint;  t^;  tv;  t^) 
belongs  to  SK  [C /X] •  Therefore,  by  lemma  B.30, 

(replacing  5K1[C/X]  with  CK1  in  the  lemma), 
Aa :  tvi{7r/X}.  Typerec[tc{7i/X}]  raof  (Tint;  t^;  tv;  tv+) 
belongs  to  CK1  —*SK[C/x]- 

By  assumption,  tv  belongs  to  5Vx.  (x->n)->(x->K)-,K[C/x]- 
Therefore,  Tv  [ki{k/X}]  belongs  to 

n)— (x-.k)—k[C,Ck1/X,x]-  This  implies  that 

tv  [ki{k/X}]  t  belongs  to  <S(x_fK)_K[C,CK1/X,  x]- 

Consider  C  =  S(X^K)^K[C,  CK1  /X,  x]-  Then  C  is  equal  to 
5x^k[C,Ck1/X,X']  — >  SK[C,CK1/x,  X_[-  This  is  equivalent 
to  (Ck!  <S«[C,Crei/X,xD  -+  SK{C,CK1/x,x}-  But  x 

does  not  occur  free  in  k.  So  the  above  can  be  written  as 
(CK1  — >  5«[C/X])  — >  <S«[C/X]-  This  implies  that  r[  belongs 
to  5k[C/X]- 

•  len  =  k  +  1  The  other  possible  reductions  come  from  the 
reduction  of  one  of  the  individual  types  t,  Tint,  t_>,  tv,  and 
tv f .  The  proof  in  this  case  is  similar  to  the  proof  of  the  corre¬ 
sponding  case  in  lemma  B.28. 

Since  t'  is  neutral,  by  property  3  of  definition  B.18,  t'  belongs  to 

5k  [C/X].  □ 

Lemma  B.32  If  for  every  kind  n1  and  reducibility  candidate 
C1  of  this  kind,  t{k,/x/}  C  Sk  [C,  C' /x,  x!]<  then  A x'-T  € 
5vx'.  k[C/x]- 

Proof  Consider  the  neutral  type  t'  =  (A x'-T)  [K,l  f°r  an  ar¬ 
bitrary  kind  k' .  Since  T{x,,/x,}  is  strongly  normalizable,  t  is 
strongly  normalizable.  We  will  induct  over  len  =  v(t).  We  will 
prove  that  for  all  values  of  len,  the  neutral  type  (Ax7-  t)  [k']  al¬ 
ways  reduces  to  a  type  that  belongs  to  SK[C,C' /x,x' ]-  given  that 

t{«7x'}  e  5k[c,c'/x,x']- 

•  len  =  0  There  are  two  possible  reductions.  A  beta  re¬ 
duction  yields  t{k' /x'}  which  by  assumption  belongs  to 
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SK[C,  C'/x,  ~x!]-  If  t  =  to  [x']  and  x!  does  not  occur  free  in 
to,  then  we  have  an  eta  reduction  to  to  [k'J,  But  in  this  case 

tW/x'}  =  to  [«']. 

•  len  =  k  +  1  For  the  inductive  case,  assume  that  the  hy¬ 

pothesis  is  true  for  len  =  k.  There  is  one  additional  re¬ 
duction,  (Ax' ■  t)  [//]  (Ay7,  n)  [«']  where  r  n.  By 

lemma  B.15,  we  know  that  t{k'/x '  }  ti{k'/x'}-  By 

property  2  of  definition  B.18,  n {k' /x'}  G  Sk[C,  C lx,  x']- 
Moreover,  len  =  k  for  this  reduct.  Therefore,  by  the  induc¬ 
tive  hypothesis,  (Ax' ■  ti)  [«']  always  reduces  to  a  type  that 
belongs  to  SK[C,  C'/x,  x\-  By  property  3  of  definition  B.18, 
(Ay',  n)  [«']  belongs  to  SK[C,C'/x,  x']- 

Therefore,  the  neutral  type  r '  always  reduces  to  a  type  that 
belongs  to  SK[C,C' /x,x!]-  By  property  3  of  definition  B.18, 
t'  G  Sk[C,C'/x,  x!]-  Therefore,  Ax!  .t  belongs  to  Svx'.K[C/X]- 
□ 

Lemma B.33  If  t  G  <Svx.  «[C/x],  then  for  every  kind  //{7t/X} 
t[k'{k/x}\  G  <Sk{k//x}[C/x]. 

Proof  By  definition,  r  [//{it/X}]  belongs  to  SK[C,  C /x,  x]>  f°r 
every  kind  k'{k/x}  and  reducibility  candidate  C'  of  this  kind.  Set 
C'  =  i SKi  [C/x].  Applying  lemma  B.26  leads  to  the  result.  □ 

Lemma  B.34  V+  G  <S(Vx.n)— n[C/x]. 

Proof  This  is  true  if  for  all  r  G  5vx .  n  [C/x] ,  we  have  V  r  G  Rn  ■ 
This  is  true  if  Typerec[K{it/x}]  (V  r)  of  (Tint;  t_»;  tv;  tv+) 
belongs  to  <SK[C/X]  with  the  conditions  in  proposition  B.27. 
Since  all  the  types  are  strongly  normalizable,  we  will  induct 
over  len  =  v(t)  +  v(t\„!)  +  u(t — )  +  t(tv)  +  t(t^). 

We  will  prove  that  for  all  values  of  len,  the  type 

Typerec[K{/7/x}]  (V  r)  of  (Tint;  t_»;  7v;  t^v)  always  reduces  to 
a  type  that  belongs  to  <SK[C/x];  given  that  t  G  Svx.  n[C/x], 
and  Tint  G  <SK[C/x],  and  t_>  G  <Sn_n— K^«_>K[C/x], 
and  7V  G  <SVx.  (x-,n)-t(x-.K)— «[C/x],  and 

T./+  G  Af vx .  n ) — (vx .  « )  — [C/x]  •  Consider 

r'  =  Typerec[K{«/x}]  (V  r)  of  (Tnt;  t^;  tv;  t/-) 

•  len  =  0  Then  the  only  possible  reduction  of  t'  is 

Tv+  t  (Ax-  Typerec[«{K/x}]  (t  [x])  of  (Tnt;  t^;  tv;  tv+)) 

Consider t"  =  Typerec[/i{«/X}]  (t  [x])  of  (Tnt;  t_>;  7v;  t/-). 
For  an  arbitrary  kind  k',  t"  {k! /x}  is  equal  to 
Typerec[ft{/t/x}]  t[k']  of  (Tnt;  t_;  tv;  t^t).  By  the 
assumption  on  t,  we  get  that  t  [«/]  G  Rn.  Therefore,  by  def¬ 
inition,  t"{k' /x}  G  <S K\C/X\.  Since  x  does  not  occur  free 
in  k,  we  can  write  this  as  t"{k' /x}  €  SK[C,C' /x,x\ 
for  a  candidate  C'  of  kind  k' .  By  lemma  B.32 
Ax-  Typerec[«;{7t/x}]  (t  [x])  of  (Tnt;  r-;  tv;  tv+)  be¬ 
longs  to  Svx.  K[C/x]-  By  the  assumptions  on  tv  and 
t,  Tyf  t  (Ax.  Typerec[K]  (r  [x])  of  (t „t;  t^;  tv;  t/-)) 
belongs  to  <SK[C/x]. 

•  len  =  A:  +  1  The  other  possible  reductions  come  from  the 
reduction  of  one  of  the  individual  types  t,  Tnt,  t_>,  tv,  and 
Tv.  The  proof  in  this  case  is  similar  to  the  proof  of  the  corre¬ 
sponding  case  in  lemma  B.28. 


Since  t'  is  neutral,  by  property  3  of  definition  B.18,  t'  belongs  to 

Sk\C/x\-  □ 

We  now  come  to  the  main  result  of  this  section. 

Theorem  B.35  (Candidacy)  Let  t  be  a  type  of  kind  k.  Sup¬ 
pose  all  the  free  type  variables  of  r  are  in  cti  . . .  an  of  kinds 
Ki ...  Kn  and  all  the  free  kind  variables  of  k,  k\  . . .  Kn  are  among 
XI  . . .  X-m-  If  Ci  .. .  Cm  are  candidates  of  kinds  k\  . . .  n!m  and 
Ti  . . .  Tn  are  types  of  kind  ki{k'/x}  •  •  •  Kn{n' /x}  which  are  in 
SK1  [C/x]  ■  ■  ■  SKn  [C/x],  then  t{k' /x}{t /a}  belongs  to  <SB[C/x]. 

Proof  The  proof  is  by  induction  over  the  structure  of  t. 

The  cases  of  int,  — V,  V+  are  covered  by  lemmas  B.28  B.29 
B.31  B.34. 

Suppose  t  =  on  and  k  =  Ki.  Then  t{k//x}{t/A}  =  n.  By 
assumption,  this  belongs  to  SKi  [C/x]- 

Suppose  t  =  t'i  T2-  Then  t[  :  n'  — >  k  for  some  kind  k!  and 
t 2  :  k! .  By  the  inductive  hypothesis,  t[{k' /x}{t /a}  belongs  to 
<SK/_^t[C/x]  and  t^k' /x}{t /a}  belongs  to  SK>  [C/x[.  Therefore, 
(t[{k'/x}{t /a})  (t2{k' /x}{t /a})  belongs  to  <Sre[C/x]. 

Suppose  t  =  t'  [k'\.  Then  t'  :  Vxi-Ki  and  k  = 
ki{k' /xt}-  By  the  inductive  hypothesis,  t' {k' /x}{f  /a}  belongs 
to  <SVxi.  KX  [C/x]-  Byjemma  B.33  t' {k1  /x}{t /a}  \k!_{k' /x}]  be¬ 
longs  to  <SK1  {«,/ /X1 }  [C /x]  which  is  equivalent  to  SK  [C /x] . 

Suppose  t  =  Typerec[K,]  r'  of  (Tnt;  t^;  tv;  t^). 
Then  t'  :  Cl,  and  Tnt  :  k,  and  t^  :  T2  — s-  T2  — >k— >k, 
and  tv  :  Vx-  (x  ~ 5 ’  H)  — >  (x  — *■  k)  — >  k,  and 

tv-  :  (Vx-  fi)  — >  (Vx-  k)  — >  k.  By  the  inductive  hypothesis 

t'{k'/x}{t/o}  belongs  to  f?n,  and  t\„i{k' /x}\t /a}  belongs  to 
SK\C/%  and  t_{k7x}{t/«}  belongs  to  lSn^n_K^K_«[C/x], 
and  tv{/v7x}{t/o}  belongs  to  <SVx.  (x— n)— (x_B)--K[C/xj, 
and  t^{k' /x}{t /a}  belongs  to  5(Vx.  n)-»(vx.  «)-„[C/x].  By 
definition  of  7?n, 

Typerec[«{K;7x}]  T' iK' /x}{t /a}  of 

(Tint  7y7x  }  {  t/«}  ;  T^  {  H//x}  {t/o}  ; 

tv{«7x}{t/o};  V^'/XHt/o}) 

belongs  to  <SK[C/x]- 

Suppose  t  =  Ac/  :  k'.ti.  Then  ti  :  k"  where  the  free 
type  variables  of  ti  are  in  ai, . . . ,  otn,  ex  and  k  =  k'  —> 
k" .  By  the  inductive  hypothesis,  ti{«7X}{t,  t' /a,  a'}  be¬ 
longs  to  SK/’  [C/x]  where  t'  is  of  kind  k'{k'/x}  and  belongs  to 
SAC/Xl  This  implies  that  (ti{k' /x}{t /cx}){t' / a1}  (since  a' 
occurs  free  only  in  ti)  belongs  to  SKu  [C/x]-  By  lemma  B.30, 
Aa' \k'{k' /x}- (ti{k' /x}{r /a})  belongs  to  SK^Kn  [C/x]- 
Suppose  t  =  A x'-t'.  Then  t'  :  k"  and  k  = 
Vx'-k".  By  the  inductive  hypothesis,  t'{k',k'/x,x  }{t/A} 
belongs  to  SKu  [C,  C/x,  x]  for  an  arbitrary  kind  k'  and  candi¬ 
date  C'  of  kind  k'  .  Since  x  occurs  free  only  in  t' ,  we  get 
that  (t  {k' /x}{t /ot}){K' /x!}  belongs  to  SKn  [C ,  C/x,  x']  •  By 
lemma  B.32,  Ax' ■  (t1  {«' /x}{t /«})  belongs  to  <SVx'.  K"[C/x]-  1=1 
Suppose  5iVj  is  the  set  of  strongly  normalizable  types  of  kind 
Ki. 

Corollary  B.36  All  types  are  strongly  normalizable. 

Proof  Follows  from  theorem  B.35  by  putting  C;  =  S N,  and 

Ti  =  ai.  □ 
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( context )  C  ::=  []  |  — »C  \  —*(C,t)  |  — »(t,  C) 

V[k]C  |  V+C  |  AX.C  |  C[k\ 
Xa:K.C  |  Ct  |  tC 
Typerec[h;]  C  of  (nnt;  r^;  7v;  Tyf) 
Typerec[fi]  r  of  (C;  t_;  tv;  Tyf) 
Typerecjfi]  r  of  (rint;  C;  rv;  rv+) 
Typerecjfi]  r  of  (rint;  t_^;  C;  Tyt-) 
Typerecjfj]  r  of  (-Tint;  T-m  7V;  C) 

Figure  26:  Type  contexts 


(/3i)  ::=  (Aa:/t.  t)  t' T-fV/a} 

(#2)  ::=  (Ax-  t)  M  t{«/x} 

(r/i)  ::=  Aa:tt.  ra~>r  a  £  ftv(r) 

im)  ■■=  Ax-r[x]~>r  X<tfkv{r) 

(fi)  ::=  Typerecffi:]  intof  (rint;  t_>;  7v;  T^)  rint 
(f2)  ::=  Typerec[K]  (n  — >  r2)  of  (-Tint;  t— ;  tv;  t^) 

T_  Tl  T2 

(Typerec[«]  n  of  (rint;  r_>;  7v;  T^)) 

(Typerec[K]  t2  of  (rint;  t_>|  7v;  T^)) 

(f3)  ::=  Typerec[/-c]  (V  [ki]  ti)  of  (rint;  r 7v;  t^) 

Tv  [Kl]  Tl 

(Act : /ti .  Typerec[tv]  (tick)  of  (-Tint;  r-.;  tv;  t^)) 
(f4)  ::=  Typerec[«:]  (V  n)  of  (Tint;  t— ;  tv;  Ty+) 

VTl 

(Ax- Typerec[/v]  (n  [x])  of  (nnt;  t^;  tv;  t^)) 
Figure  27:  Type  reductions 


B.3  Confluence 

The  type  contexts  C  are  shown  in  Figure  26.  The  reduction  rules 
are  shown  in  Figure  27. 

Definition  B.37  ti  i— >  t2  iff  there  exists  a  r[  and  r 2  and  C  such 
that  ti  =  C  \t[\  and  t2  =  C  [t2]  and  t[  t2. 

Lemma  B.38  Ifn  1 — *  T2,  t/ten  ti{t/o}  1— >  t2{t/ck}. 

Proof  This  requires  us  to  prove  that  if  t'  t”,  then 
t'{t/ck}  t" {t/ck}.  This  follows  from  lemma  B.14.  □ 

Lemma  B.39  Ifn  1— >  t2,  then  ti{k;/x}  1— >  t2{k/x}- 

Proof  This  requires  us  to  prove  that  if  t'  t",  then 
t'{k/x}  t”{k./x}.  This  follows  from  lemma  B.15.  □ 

Lemma  B.40  If  t 1  1 — *  T2,  t/ten  t{ti/ck}  1— >  t{t2/ck}. 

Proof  This  is  proved  by  induction  over  the  structure  of  t  and 
then  defining  an  appropriate  type  context  C. 

Suppose  t  =  A X-T  .  Then  t{ti/q}  =  Ax- t'Iti/q:}.  By 
induction  assume  that  t'Iti/q}  1— >  t'{t2/cx}.  This  implies  that 
for  some  context  C,  t'{ti/«}  =  C  [t(]  and  T'{T2/a}  =  C  [t2] 
and  t(  -v  t(.  Consider  the  context  Co  =  Ay.  C.  Then  we  get  that 
Ax-  t'{ti/o}  =  Co  [t(]  and  Ax-  T'{n/a }  =  Co  [t2]. 

Suppose  t  =  A/3  :  k.t' .  Then  t{tl/ck}  =  A/3:  K.  t'{ti/ck}. 
By  induction  assume  that  t'{t i/a}  1— >  t'{t2/q:}.  This 

implies  that  for  some  context  C,  r'{n/a}  =  C  [t(]  and 


t' {t2 / a}  =  C  [t2]  and  t(  t2.  Consider  the  context 
Co  =  A/3 :  k.  C.  Then  we  get  that  A/3 :  k.  t'{t\ /ck}  =  Co  [t(]  and 
A/3: /t. t' {n/ ex}  =  C0  [t2]. 

Suppose  t  =  t'  [k].  Then  t{ti/«}  =  {r'{n/ot})  [k].  By 
induction  assume  that  T'{n/ot}  1— »  t'{t2/u}.  This  implies  that 
for  some  context  C,  t' {tl/ a}  =  C  [t(]  and  t,{t2/o}  =  C  [t2] 
and  t[  t2.  Consider  the  context  Co  =  C  [k].  Then  we  get  that 
(t'{ti/q:})  [k]  =  C0  [t[]  and  (t'{t2/«})  [k]  =  C0  [t2]. 

Suppose  t  =  t' t"  .  Then 

t{ti/«}  =  {T'{n/ct})  (t"{ti/<x}).  By  induc¬ 
tion  assume  that  t'{ti/q}  T'{T2/a}  and 

T”{Ti/a}  1 — ^  t"{t2/u}.  This  implies  that  for  some  con¬ 
text  C,  t' {n / a}  =  C  [t[]  and  t'{t2/o}  =  C  [t2]  and 
t(  t2.  Consider  the  context  Co  =  C  (r"{n/ot\). 
Then  we  get  that  (t' {n/ a})  (t" {n/ at})  =  Co[t[]  and 
( f  {T2I0L })  (t" {n/ <x})  =  Co  [to].  Repeating  the  same  process, 
but  this  time  starting  with  (t' {t2 / a})  (t" {n / a})  leads  to  the 
lemma. 

Suppose  t  =  Typerec[h:]  t'  of  (Tint;  t^;  tv;  T^f).  Then 
t{ti/q}  = 

Typerec[^]  {t' {n/<*})  of 

(Tint{Ti/a};  t_{ti/q:};  TV{n/a};  tv+{ti/q:}) 

By  induction  assume  that  T'{n/ot}  t'  {T2/a}  and 
Tint  {  Tl  /a}  Tint  {t2  /  a}  and  T_{Ti/a}  t_{t2/«}  and 
TyjVi/a}  tv{t2/«}  and  Tv+{ri/a}  tv+{t2/q:}.  This 
implies  that  for  some  context  C,  t' {n  / cx}  =  C  [t[]  and 
t' {t2/q:}  =  C  [t2]  and  t[  t2.  Consider  the  context 

C°  = 

Typerec[«]  C  of 

(Tint{Ti/a};  T-^-jVi/a};  7v{n/a};  TyfjTi/a}) 

Then  we  get  that 

Co  [n]  = 

Typerec[«]  (r'{n/oi})  of 

(Tint{Ti/a};  t^{ti/q:};  7v{n/a};  T^{n/a}) 

and 

Co  [t2]  = 

Typerec[«]  (T'{T2/a})  of 

(7lnt{Ti/a};  T-^-jVi/a};  7v{n/a};  TyflTi/a}) 

Repeating  this  process  with  the  other  subtypes  leads  to  the  lemma. 

□ 

Theorem  B.41  If  t  is  strongly  normalizing  and  locally  confluent, 
then  r  is  confluent. 

Proof  This  is  proved  by  induction  over  v(r).  □ 

To  prove  local  confluence,  we  consider  types  with  two  holes. 
The  contexts  are  specified  in  Figure  28.  Given  a  type  t\  we  may 
write  it  as  Ci  [tl]  or  as  C2  [t2] .  The  two  holes,  ti  and  t2  are  said 
to  overlap  if  one  is  a  subterm  of  the  other.  If  the  two  holes  do  not 
overlap,  then  t'  may  be  written  as  D  [t"  ,  r'"\  and  it  is  obvious  that 
the  reduction  is  locally  confluent. 

We  therefore  need  to  consider  only  overlapping  holes,  that  is 
t'  =  Ci  [t]  and  t  =  C2  [ti].  Without  loss  of  generality,  we  may 
discard  the  outer  context  Ci . 

The  local  confluence  is  now  proved  by  considering  each  pos¬ 
sible  reduction  of  t  according  to  the  reduction  rules  and  for  each 
case,  showing  that  there  exists  another  set  of  reductions  that  guar¬ 
antees  local  confluence. 
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( context )  D  ::= 


-»(Ci,C2)  |  CiCa 

Typerec[fi]  Ci  of  (C2;  r_^;  rv;  r^) 
Typerecjfi]  Ci  of  (rint;  C2;  rv;  r^) 
Typerecjfi]  Ci  of  (rint;  C2;  t^) 

Typerecjfi;]  Ci  of  (rint;  tv;  C2) 

Typerecjfi]  r  of  (Ci;  C2;  rv;  r^) 
Typerecjfi]  r  of  (Ci;  t_^;  C2;  tv+) 
Typerec[fi]  r  of  (Ci;  r.^;  7 v;  C2) 
Typerecjfi]  r  of  (rint;  Ci;  C2;  r^) 
Typerecjfi]  r  of  (rint;  Cr;  rv;  C2) 
Typerecjfi]  r  of  (rint;  r Ci;  C2) 

cp] 


Figure  28:  Type  contexts  with  two  holes 


We  show  that  if  r  t",  then  for  each  rule  such  that  n  t], 
there  exists  a  t'"  and  a  sequence  of  reductions  that  take  t"  to  t'" 
and  C2  [r]]  to  t"' .  We  use  a  diagram  to  prove  this.  The  left  arrow 
represents  the  reduction  from  r  to  r"  and  the  right  arrow  shows  the 
reduction  from  C2  [n]  to  C2  [r{].  The  dashed  arrows  are  then  used 
to  show  the  reductions  that  complete  local  confluence. 

The  set  of  reductions  is  shown  in  Figure  27.  We  use  T  to  denote 
the  complete  set  of  reductions. 

case  /3i :  Suppose  r  is  a  beta  redex  (Aa  :  fi.  n)  r2.  Suppose 
further  that  n  r[  through  any  reduction  in  T  apart  from  an 
eta-redex. 

(Xa:K.  n)  r2 

01 


(Aa:«.  t{)t2 


^  a. 

n{r2/a} 


0i 


Suppose  that  n  t[  through  an  eta-redex.  Assume  n  =  r]  ct. 
(Aa:fi.  n)r2 


n  r2 


Suppose  that  r2  r2  through  any  reduction  in  T. 


(A  a:fi.  ti)t2 


n{T2/af 


case  /32:  This  is  similar  to  the  f3i  case.  When  r  reduces  by 
(172),  assume  that  r  =  t'  [%]. 

(AX-  r)  [fi] 

02 


t{k/x} 


(Ax-  r')  [fi] 


Lemma  B.39\ 


^Wx} 
(Ax-  t)  M 


02 


02 


TWx}  =  t'  M 

case  7/1 :  When  the  right  arrow  denotes  a  beta-reduction,  assume 
that  r  =  A/3 :  fi.  n 

Aa :  fi.  (r  a) 

71  /  01 


Aa:fi.  (r'  a) 


T-0i 


r 

Aa :  fi.  (r  a) 


01 


A/3:fi.  7"i  =a  A a:fi.  ri{a//3} 

case  772:  This  is  similar  to  the  r/i  case.  When  the  right  arrow 
denotes  a  beta-reduction,  assume  that  r  =  Axi  •  n . 

AX-  (t  [x]) 

72  /  ^~T-02 


AX-  (t'  [x]) 


T—02 


t 

T 

AX-  (t  [x]) 


02 


Ax'-n  =a  Ax-ri{x/x'} 

case  t\\  We  consider  only  the  case  of  Tint  r(nt.  The  other 
possible  reductions  are  locally  confluent  in  an  obvious  way. 

Typerec[fi]  int  of  (nnt;  T->;  tv;  %*) 


Typerec[fi]  int  of  (r^;  rv;  r +) 


/  *1 
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case  t2\  There  are  six  possible  subcases  from  the  reduction 
of  either  n,  T2,  Tint,  t_>,  tv,  or  The  case  for  reduction 

of  n  and  t 2  are  similar;  we  will  show  only  the  case  for  the  re¬ 
duction  of  n.  We  use  Typerec[fr]  t'  of  f  as  a  shorthand  for 
Typerec[«]  t  of  (rint;  t_>;  rv;  r^). 

Typerec[fr]  (n  — >  T2)  of  r 


T-^  T 1  T2 

(Typerec[j;.]  n  of  r)  Typerec[/i]  (t(  — >  T2)  of  r 

(Typerec[X|  T2  of  r)  / 


T— x  t[  T2 

(Typerec[ft]  r[  of  r) 
(Typerec[tc]  T2  of  t) 


case  (4:  There  are  five  possible  subcases  from  the  reduction  of 
either  r.  Tint,  r 7V,  or  tv f.  First,  the  reduction  of  n. 


Typerec[ft]  (V  ti)  of  r 


VT1 

(Ax- Typerec[/t]  (n  [x])  of  r) 
\ 


Typerec[/s:]  (V  t[)  of  r 

/ 

/ 

/ 

.  '  ti 


V-n 

(Ax-  Typerec[«]  (t(  [x])  of  r) 


We  will  only  show  the  reduction  of  .  in  which  t'  stands  for 

(Tint!  T-^;  Tv;  Tv+). 


We  will  only  show  the  reduction  of  t_>,  in  which  t'  stands  for 

(Tint;  T^;  Tv;  Tyf). 


Typerec[A]  (ti  — >  T2)  of  t 


T— x  Tl  T2 

(Typerec[j;.]  ti  of  t) 
(Typerec[K]  T2  of  r) 

\ 

\ 


r*  x 

A 

t(_>  Ti  T2 

(Typerec[ft]  ti  of  t') 
(Typerec[fi]  T2  of  t') 


T2)  of t' 


Typerec[ft]  (V  ti)  of  t 

*4  /  \  T 


V  Tl 


,+  x 


(AX.  TyperecM  (ti  [X])  of  t)  Typerec[K]  (V  n)  of  t' 


\ 

T* 


/ 

/  t4 


T  +  Tl 
V+ 


(AX-  Typerec[K]  (ti  [x])  of  t' 


C  Properties  of  xf 
C.1  Soundness  of  xf 


case  (3 :  There  are  five  possible  subcases  from  the  reduction  of 
either  ti,  Tint,  t_>,  7v,  or  t^t.  We  first  show  the  reduction  of  ti. 


Typerec[«]  (V  [«i]  ti)  of  t 


Ty  [«l]  Tl 

(Act :  .  Typerec[^]  (ti  a)  of  t) 


\ 

s 


Typerec[K.]  (V  [ki]  t[)  of  t 
/ 

/ 

/ 


7V  [/Cl]  t[ 

(Aa :  Ki .  Typerec[K.]  (t[  a)  of  t) 


We  will  only  show  the  reduction  of  rv,  in  which  t'  stands  for 

(Tint.  T_x,  Tv.  Tyf). 


Typerec[«]  (V  [«i]  n)  of  t 

h  y  \  t 


TV  (Aa^r.  Typerec[/c]  (n  a)  of  r)  TYPerecM  (V  M  n)  of  t' 


J  A  >  “ 

Tv  [«l]  Tl  _ 

(Aa :  Ki .  Typerec[/c]  (ti  a)  of  t') 


Lemma  C.l  (Normal  form  of  types)  Ife;e  \~  v  :  $7.  then  v  is 
one  of  int,  o'  — >  tv",  V  [/c]  tv',  V  /X,  or  pt/. 

Proof  Since  v  is  kind  checked  in  an  empty  environment,  v  can 
not  be  a  o°  since  the  head  of  a  o°  is  a  type  variable.  From  the  kind, 
v  must  be  a  int  or  of  the  form  AX-  vi  and  e,  X;  e  h  01  :  t)x-  From 
the  kind,  it  is  obvious  that  the  only  possible  forms  for  v\  are  int  [X], 

(-^)  [x]  t'l  "L  V  [x]  [«]  V+  [X]  v[,  p  [x]  *4-  It  can  not  have  a 
Place  constructor  because  of  the  following  reason.  The  only  way  it 
can  have  a  Place  constructor  is  if  it  is  of  the  form  Place  [x]  v [.  But 
this  requires  o[  to  have  the  kind  X-  This  is  not  possible  since  none 
of  the  v  normal  forms  can  have  this  kind  and  u[  can  not  have  an 
occurence  of  o°  since  the  kinding  is  in  an  empty  type  environment. 

The  normal  form  AX- (int  [x])  is  equivalent  to  int  by  eta 
reduction.  The  normal  form  AX-  {(—*)  [x]  v'i  *4)  is  equivalent 
to  (Ax-tJ)  — >  (Ax-^).  The  normal  form  AX-  (V  [x]  [ac]  o[) 
is  equivalent  to  V  [k]  (Aa  :  k.  A\-  v[  a).  The  normal  form 

Ax-  (V  [x]  y'\)  is  equivalent  to  V  (Axi-  AX.  v'\  [xi] ) -  The  normal 
form  AX-  (p  [x]  v'i)  is  equivalent  to  p(Ax-  (See  the  rules  at  the 
bottom  of  Figure  11).  □ 

Lemma  C.2  (Decomposition  of  terms)  If  \-  e  :  t,  then  e  is  either 
a  value  or  can  be  decomposed  into  a  unique  E  and  a  unique  redex 
e '  such  that  e  =  E  [e']. 

Proof  Proved  by  induction  over  the  structure  of  e.  Each  of  the 
cases  follows  similarly.  We  will  consider  only  the  interesting  cases. 
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(A x:t.  e)  v  e{v/x}  (f\xx:r.  v)  v'  ( v{V\xx:t .  v/x })  v' 

(Aa\n.  v)  [t]  v{t/o}  (fi xx:r.  v )  [r]  ( v{f\xx:r .  v/x})  [r] 

(A+x-  v)  [k]+~»  v{k/x}  (fi xx-.T.v)  [k]+-^»  (v{fi xx:t.v/x})  [k]+ 

unfold  (fold  v  as  r)  as  r  v 

typecase[r]  int  of  (eint;  e^;  ev;  ev+;  eM)  ~t-  eint 

typecase[r]  (n  — >  r2)  of  (eint;  e^;  ev;  e^;  eM)  [n]  [r2] 

typecase[r]  (V  [k]  t')  of  (eint;  e^;  ev;  e^;  eM)  ev  M+  [r'] 

typecase[r]  (V+  t')  of  (eint;  e^;  ev;  e^;  eM)  e^f  [r'] 

typecase[r]  (pr')  of  (eint;  e^;  ev;  e^;  eM)  eM  [t'] 


e  ei 


e~»ei 


e  ei 


e  ei 


e  e  ei  e  u  e  t;  ei 
e  ei 

fold  e  as  r  fold  ei  as  r 


e  [r]  ei  [r]  e  [k]  ei  [k] 

e  ei 

unfold  e  as  r  unfold  ei  as  r 


e;  e  1“  r'  *  z/ :  S2  z/  is  normal  form 

typecase[r]  r'  of  (eint;  e^;  ev;  eyt-;  eM) 

typecase[r]  v'  of  (eint;  e^;  ev;  e^t-;  eM) 


Figure  29:  Operational  semantics  of  A® 


(value)  v 


i  |  A x:r.e  |  fold  v  as  r  |  unfold  v  as  r 
Act.k.v  |  A  x- f  I  fixx:r.  v 


(context)  E  ::=  []  |  £ e  |  w  .E  |  E  [r]  |  E  [k]+ 

|  fold  E  as  r  j  unfold  E  as  t 


(redex)  r  ::=  (\x:r.e)v  \  (Aa :  k.  v)  [t]  |  (A+x-  v)  [k]+ 

|  (fi xx:t.v)v'  |  (fi xx:t.v)[t'} 

(fix  x :  r.  v)  [ft] 
unfold  (fold  v  as  r)  as  r 
I  typecase[r]  r'  of  (eint;  e^;  ev;  ev+;  e^) 

|  typecasejr]  int  of  (eint;  e^;  ev;  e^;  eM) 

|  typecasejr]  (t  — >  r")  of  (eint;  e^;  ev;  e^;  e^) 
|  typecasejr]  (V  [k]  r')  of  (eint;  e^;  ev;  e^r ;  eM) 

|  typecase[r]  (V  r')  of  (eint;  e^;  ev;  e^;  eM) 

|  typecasejr]  (pr')  of  (eint;  e^;  ev;  e^;  eM) 


Figure  30:  Term  contexts 


Suppose  e  =  ei  e2.  By  assumption,  h  ei  e2  :  r.  Therefore 
hem  — >  r  and  h  e2  :  ri  for  some  type  n.  Apply  the  inductive 
hypothesis  now  to  ei  and  e2.  If  both  ei  and  e2  are  values  v\  and 
V2,  then  the  only  possible  reduction  is  []  [n  r2].  If  e2  =  E2  [e2], 
then  set  E  to  be  vi  E2  and  e!  to  be  e2.  If  ei  =  E\  [e(],  then  set  E 
to  be  E\  e2  and  e  to  be  ei . 

Suppose  e  =  typecase[r]  r'of(eint;  e^;  ev;  e^;  e^).Ifr'  is 
not  a  normal  form,  then  E  is  the  empty  context  and  e  is  the  redex. 
If  r'  is  a  normal  form,  then  by  lemma  C.l  e  is  still  a  redex  and  E 
is  therefore  the  empty  context.  □ 


v°  ::=  a  |  v°  v  \  v°  [zt] 

TyperecM  u°  of  (vmt;  v^\  ixr,  ^v+) 

v  v°  |  int  |  int  [k]  I  —*  I  — *  [«]  I  (A)  [/t]  1/ 

(f*)(K]vv'  I  V  I  V[«]  1  VMM  !  VM  [K> 

v+ 1  v+  [«]  v+M  v  |  p  |  p  M  I  P  [«]  v 

Place  |  Place  [zc]  |  Place  [zc]  v 

Aa :  k.  v ,  where  Vz/°.  v  yf  u°  a  or  a  €  ftv(u°) 

Ay.  where  VM.  v  yf  i/°  [x]  or  \  £  fkv(v°) 

Figure  31:  Normal  forms  in  the  A^  type  language 


Lemma  C.3  If  h  E  [e] :  r,  then  there  exists  a  t'  such  that  h  e :  t' , 
and  for  all  e'  such  that  h  e! :  t'  we  have  h  E  [e'\ :  r. 

Proof  The  proof  is  by  induction  over  the  derivation  of  h  E  [e] : 
r.  All  the  cases  are  proved  similarly.  We  will  consider  only  one  of 
the  new  cases. 

Suppose  E  =  fold  Ei  as  r.  Then  we  have  that  h  E\  [e]  :ti  for 
some  type  n .  Applying  the  inductive  hypothesis  to  E\ ,  we  get  that 
there  exists  a  t'  such  that  hc:f  and  and  for  all  e!  of  type  t\  we 
have  that  h  E\  [e'] :  n .  □ 

Corollary  C.4  (Progress)  If  \-  e  :  t,  then  either  e  is  a  value  or 
there  exists  an  ei  such  that  e  1— ►  ei. 

Proof  By  lemma  C.2,  we  know  that  if  h  e  :  r,  then  either  e  is  a 
value  or  there  exists  an  E  and  a  redex  e 1  such  that  e  =  E  [e\.  Since 
e!  is  a  redex,  there  exists  a  reduct  e”  such  that  e!  ^  e”.  Therefore, 
e  1— >  ei  for  ei  =  E  [e"\. 

We  now  prove  a  bunch  of  substitution  lemmas. 

Lemma  C.5  If£,  X  P  k  and  £  I-  k',  then  £  h  k{k' /x}- 

Lemma  C.6  If  £,  X;A  h  r  :  k  and  £  h  k' ,  then  £\  A{k'/x}  i“ 
t{k'/x}  ■  kW/x}- 

Proof  The  proof  is  by  induction  over  the  structure  of  r.  All  the 
cases  follow  in  a  straightforward  manner  by  applying  the  inductive 
hypothesis  to  the  subtypes.  □ 

Lemma  C.7  If£;A,a  :  k1  \ hr  :  k  and  £\  A  h  t'  :  k! ,  then 
£\  A  h  t{t  /a]  :  k. 

Proof  The  proof  follows  in  a  straightforward  way  by  induction 
over  the  structure  of  r.  □ 

Lemma  C.8  If  £;  A,a  :  k\T  h  e  :  t  and  £;  A  h  t'  :  k,  then 
£\  A;  rjr'/a}  h  e\r' /cf}  :  t{t'/o}. 

Proof  The  proof  is  by  induction  over  the  structure  of  e  and  is 
similar  to  the  proof  of  this  lemma  for  A f .  □ 

Lemma  C.9  If£\  A;  T,  x\t'  e  :  r  and  £ ;  A;  T  h  e1  :  t' ,  then 
f;A;Th  e{e' /x]  :  r. 

Proof  The  proof  is  by  induction  over  the  structure  of  e  and  is 
similar  to  the  proof  of  this  lemma  for  A f .  □ 

Lemma  C.10  If  £,x,  A;  T  h  e  :  r  and  £  h  k,  then 
£-,A{k/x};F{k/x}  'r  e{n/x}  ■  t{k/x}- 
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(kinds)  k 

::=  \\k  |  k  ->  /s'  |  x  1  Vx-k 

(types)  t 

::=  int  |  -A  |  V  j  V+  p  Place 

a  Ax-r  |  A cr.K.T  |  r  [/s]  tt' 

Typerec[/c]  r  of  (tint;  T-*;  7v;  Tyt-;  rM) 

Figure  32:  The  A^  type  language 

Proof  The  proof  follows  in  a  straightforward  way  by  induction 
over  the  structure  of  e  and  is  similar  to  the  proof  of  the  other  sub¬ 
stitution  lemmas.  □ 

Definition  C.ll  e  evaluates  to  e'  (written  e  i— ♦  e')  if  there  exist  E, 
ei,  and  e2  such  that  e  =  E  [ei]  and  e'  =  E  [e2]  and  ei  e2. 

Theorem  C.12  (Subject  reduction)  If\~e:r  and  e  i—  e! ,  then 
I -  e' :  r. 

Proof  By  lemma  C.2,  we  know  that  there  exists  a  unique  E  and 
a  unique  redex  ei  such  that  e  =  E  [ei] .  Since  e  i— >  e1 ,  there  exists 
an  ei  such  that  e!  =  E  [ei]  and  ei  ei.  By  lemma  C.3,  we 
know  that  for  some  i~i  we  have  that  b  ei :  n.  By  the  same  lemma, 
we  only  need  to  prove  that  b  ei  :  ri.  We  prove  the  theorem  by 
considering  each  possible  redex. 

Suppose  ei  =  (A*  :  r.e)v.  Then  ei  =  e{v/x}.  We  know 
that  e;  e;  e,  *  :  r  be  :  r'  for  some  type  r  and  e;  e;  e  b  v  :  r. 
Applying  lemma  C.9  leads  to  the  result. 

Suppose  ei  =  (Aa  :  k.v)  [t].  Then  ei  =  t>{r/a}.  We  know 
that  e\  e,  a  :  ft;  e  b  v  :  r'  for  some  type  t'  and  e;  e  b  r  :  n. 
Applying  lemma  C.8  leads  to  the  result. 

The  case  of  ei  =  (A+  x-  e)  [k]+  is  similar  to  the  previous  two 
cases  and  requires  lemma  C.10. 

All  of  the  fix  reduction  cases  are  proved  similarly.  We  will 
consider  only  one  case  here.  Suppose  ei  =  (fix*  :  r.  v )  v'.  Then 
ei  =  (v{fix* :  t.v/x})  v' .  We  have  that  b  (fix* :  r.  v )  v' :  n.  By 
the  typing  rules  for  term  application  we  get  that  for  some  *2, 
b  f ix  * :  r.  v :  *2  — ►  Ti  and 
b  v' :  T2 

By  the  typing  rule  for  fix  we  get  that. 


(ft)  : 

:=  (Aa :  ft.  r)  r' r-fV/a} 

(ft)  : 

:=  (Ax-  r)  [ft]  t{k/x} 

: 

:=  Aa:K.t«~tT  a  £  ftv(r) 

M  : 

■=  A  xWxWt  Xifkv(r) 

(ti)  : 

:=  Typerec[ft]  (int  [«])  of  (tint;  t_;  rv;  r^ ;  rM)  ~t-  tint 

(fa)  : 

:=  Typerec[ft]  (-A  [ftjrm)  of  (rint;  r_^;  rv;  r^;  rM) 

T-,  ri  r2 

(Typerec[ft]  n  of  (rint;  T-*;  7v;  T^;  rM)) 
(Typerecjftj  r2  of  (rint;  r^;  rv;  r^;  W) 

(fa)  : 

:=  Typerec[ft]  (V  [tt]  [ft']  r)  of  (rint;  r_^;  7v;  r^ ;  rM) 
rv  [/s']  r 

(\CC.K1 . 

Typerec[K]  (ra)  of  (rint;  r^;  rv;  rv+;  rM)) 

(fa)  : 

:=  Typerec[«]  (V  [«]  r)  of  (tint;  r^;  rv;  r^;  rM)  ^ 

vr 

(Ax-  Typerec[tt]  r  [x]  of  (rint;  r^;  rv;  Tyf ;  rM)) 

(fa)  : 

:=  Typerec[«]  (p  [tt]r)  of  (rint;  r^;  rv;  r/-;  rM) 
rMr 

(Xa:K.  Typerec[«]  (r  (Place  [k]  a))  of 

(rint;  T— »;  rv;  r^f ;  rM)) 

(fa)  : 

:=  Typerec[K]  (Place  [«]  r)  of  (tint;  r^;  rv;  r^f ;  rM) 
r 

Figure  33:  Type  reductions 

Lemma  C.13  lf£;  A  b  t  :  k  and  r  t',  then  £;  A  b  t'  :  k. 

Proof  (Sketch)  The  proof  follows  from  a  case  analysis  of  the  re¬ 
duction  relation  (~>).  □ 

Lemma  C.14  Ifr i  *2,  then  ri{r/a}  T2{r/a}. 

Proof  The  proof  is  by  enumerating  each  possible  reduction  from 
t i  to  T2.  We  will  only  show  the  cases  that  are  different  from  A f . 

case  ti:  n  =  Typerec[/c]  (int  [«])  of  (rint;  r_>.;  rv;  r^;  rM) 
and  *2  =  rint.  We  get  that 


b  t  =  *2  — >  n  and 

e;  e;  e,  x  :  *2  — >  n  b  v  :  *2  — »  n 

Using  Lemma  C.9  and  the  typing  rule  for  application,  we  obtain 
the  desired  judgment 

b  (u{fix*:r.  v/x})  v'  :ri 

The  unfold  case  follows  trivially  from  the  typing  rules. 

Suppose  ei  =  typecase[r]  n  of  (eint;  e^;  ev;  e^;  e^,).  If 
n  is  in  normal  form  v\ ,  by  the  second  premise  of  the  typing  rule 
for  typecase  and  Lemma  C.l  we  have  five  cases  for  v\.  In  each 
case  the  contraction  has  the  desired  type  r  iq ,  according  to  the  cor¬ 
responding  premises  of  the  typecase  typing  rule  and  the  rules  for 
type  and  kind  applications.  If  n  is  not  in  normal  form,  then  ei 
reduces  to  typecase[r]  of  (e^t;  ev;  e^t-;  eM)  where  is 
the  corresponding  normal  form.  Since  the  type  system  is  strongly 
normalizing,  this  reduction  always  terminates  and  since  the  type 
system  is  confluent,  t  T\  —  t  v\.  □ 


n{r/a}  = 

Typerec[ft]  (int  [k])  of 

(TintWa};  r^{r/a};  rv{r/a};  r^-jr/a};  TM{r/a}) 

But  this  reduces  by  the  ti  reduction  to  Tint{r/a}. 

case  f2:  n  =  Typerec[«;]  ((-4)  \k]t't")  of  (rint;  r^;  rv;  rv+;  rM) 

and 

72  =  r_,  r' t"  (Typerec[/t]  r'  of  (rint;  r_»;  rv;  Tyt-;  rM)) 
(Typerec[tc]  r"  of  (rint;  r^;  rv;  r^;  rM)) 

We  get  that 

n{r/a}  = 

Typerec[«]  ((-A)  [rc](r'{r/a})(r"{T/a}))  of 

(ri„t{r/a};  r^{r/a};  rv{r/a};  r^jr/a};  rM{r/a}) 

This  reduces  by  (2  to 


r_{r/a}  (r'{r/a})  (r"{r/a}) 

(Typerec[fc]  (r'{r/a})  of 

(TintWa};  r-W/a};  M7"/®};  rv+{r/a};  r^jr/a})) 
(Typerec[/c]  (r"{r/a})  of 

(ri„t{r/a};  r^{r/a};  7v{r/a};  r^{r/a};  rM{r/a})) 


C.2  Strong  Normalization  of  A 9 

The  type  language  is  shown  in  Figure  32.  The  single  step  reduction 
relation  (r  t')  is  shown  in  Figure  33. 
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But  this  is  syntactically  equal  to  T2{t/q}. 

cas et3:  n  =  Typerec[fr]  (V  [k]  [k'\  t')  of  (rint;  r_^;  rv;  r^;  7>) 

and 

t2  =  rv  [k'\  t'  (A (3 :  k'.  Typerec[fv]  (r'  /3)  of  (rint;  r rv;  rv+;  rM)) 
We  get  that 
n{r/a}  = 

Typerec[/i]  (V  [k]  [«']  r'jr/a})  of 

(rintlr/a};  r^{r/a};  rv{r/a};  r^-{r/a}\  rM{r/a}) 

This  reduces  by  f3  to 

rv{r/a}  [«;']  (r'{r/a}) 

(A/3 :  «/.  Typerec[«]  ((r'{r/a})  /3)  of 
(rint{T/a};  r^{r/a};  rv{r/a};  rv+{r/a};  r^{r/a})) 

But  this  is  syntactically  equivalent  to  T2{r/a}. 

case  i4:  n  =  Typerec[^]  (V+  [k]  t')  of  (rint;  r^;  7v;  tm) 

and 

T2  =  Tyf  r'  (Ax- Typerec[«]  (r'  [*])  of  (Tint;  r-;  rv;  r^;  rM)) 

We  get  that 

Ti{r/a }  = 

Typerec[/i]  (V+  [k]  t' {t /a})  of 

(Ti„t{r/a};  T_{r/a};  rv{r/a};  rv+{r/a};  rM{r/a}) 

This  reduces  by  f4  to 

V  W«}  (r'{r/a}) 

(AX-  Typerec[/c]  ((r'{r/o})  [x])  of 
(TintWa};  r^{r/a};  rv{r/a};  rv+{r/a};  rM{r/a})) 

But  this  is  syntactically  equal  to  T2{r/a}. 

case  t5:  n  =  Typerec[fr]  (p  [k]  t')  of  (rint;  7v;  tm) 

and 

t2  =  rM  t' 

(A/3 :  k.  Typerec[ft]  (t  (Place  [«]  /3))  of  (rint;  r_^;  rv;  Tyt-;  rM)) 

We  get  that 
n{r/a;}  = 

Typerec[ft]  (p  [«]  t' {t /a})  of 

(Tint-jr/a};  r^{r/a};  rv{r/a};  Tyflr/a};  rM{r/a}) 

This  reduces  by  ts  to 

Tn  W®}  (r'{r/a}) 

(A/3:  k.  Typerec[ft]  ((r'lr/a})  (Place  [k]  /3))  of 
(TintWa};  T-W/a};  TV{r/a};  rv+{r/a};  rM{r/a})) 

But  this  is  syntactically  equal  to  T2{t/q}. 

casef6:  ri  =  Typerec[fr]  (Place  [/t]  t')  of  (rint;  t_>;  rv;  r^;  rM) 
and  r 2  =  r'.  We  get  that 

n{r/a}  = 

Typerec[/r]  (Place  [k]  r'-jY/a})  of 

(rint{r/a};  r^{r/a};  7v{r/a};  Tyfjr/a};  rM{r/a}) 

This  reduces  by  te  to  r'{r/a}. 

Lemma  C.15  Ifn  T2,  then  Ti-jV/x^  T2 W /x!}- 


Proof  This  is  proved  by  case  analysis  of  the  type  reduction  rela¬ 
tion.  We  will  only  show  the  cases  that  are  different  from  A  f. 

case  1 1:  n  =  Typerec[jc]  (int  [«])  of  (rint;  r_>.;  rv;  r^v;  tm) 
and  T2  =  Tint.  We  get  that 

TiW/x'}  = 

Typerec[/c{K7x'}]  (int  [«{«7x'}])  of 

(7tnt{«7x'};  t-{«7x'};  tvW/x'};  v(k7x'};  t-m{k7x'}) 

But  this  reduces  by  the  ti  reduction  to  rint{«;7x,}• 

case  t2:  n  =  Typerec[/v]  ((-4)  [k]tV")  of  (rint;  r_;  rv;  rv+;  rM) 

and 

r2  =  r_»  r' r"  (Typerec[/-c]  r'  of  (rint;  r^;  rv;  rv+;  rM)) 
(Typerec[«]  r"  of  (nnt;  r^;  rv;  rv+;  rM)) 

We  get  that 

tiW/x'}  = 

TyperecWWx'}]  (W)  [«{Wx'}]'r,{«7x'}'r"{K7x'})  of 

(7]nt{«7 x'};  WWx'};  tvW/x'};  v(«7x'};  WWx'}) 

This  reduces  by  f2  to 

rWWx'}  7V/x'})  7'V/x'» 

(Typerec[/t{K7x'}]  (t'{«7x'})  of 
(7int{K7x'};  t-(k7x'};  MWx'};  v-{«7x'};  yW/x'})) 
(Typerec[/t{/«7x'}]  (t'W/x'})  of 
Wtl^/x'};  WWx'};  Mk7x'};  v-{«7x'};  W«7x'})) 

But  this  is  syntactically  equal  to  T2{/v7x,}• 

case  f3:  n  =  Typerec[K]  (V  [k]  [ki]  r')  of  (rint;  r^;  rv;  r^) 

and 

T2  =  rv  [ki]  r' 

(A/3:ki.  Typerec[«]  (r'/3)  of  (rint;  r_;  rv;  tv f;  r^)) 

We  get  that 

ti{k7x'}  = 

Typerec[/c{K7x'}]  (V  [«{«7x'}]  [«i{«7x'}] 'r'{K7x'})  of 

(Tintj^/x'};  t_>{k7x'};  w{k7x'};  v(k7x'};  ^{«7x'}) 

This  reduces  by  f3  to 

rv{«7x'}  [«i{k7x'}]  7V/x'» 

(A/3 :  «i{k;7x/}- Typerec[Ar{/v,/x,>]  ((r'W/x'})  0)  of 

(rintl^/x'l;  t-{k7x'};  tvW/x'};  rvf'tK7x'};  t^{«7x'})) 

But  this  is  syntactically  equivalent  to  T2{K7x,}■ 

case  U:  n  =  Typerec[/r]  (V  [/t]  r')  of  (rint;  r^;  rv;  rv+;  rM) 

and 

T2  =  Tyf  r'  (Ax-  TypereW]  (r'  [x])  of  (tint;  r^;  tv;  r^;  rM)) 

We  get  that 

tiW/x'}  = 

Typerec[K{K7x'}]  (^+  [«{«7x'}]  T'{«7x'})  of 

Wtl^/x'};  tt-W/T:'};  tv{«7x'};  v(«7x'};  tm{k7x'}) 

This  reduces  by  f4  to 

Wt^/x'}  (r'{«7x'» 

(Ax-  Typerec[K{/t'/x'}]  (7'{« 7x'»  lx])  of 

WtlK'/x'};  t-^{«7x'};  tv{k'/x'};  vl^/x'};  v(k7x'})) 
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But  this  is  syntactically  equal  to  T2{k' /~x!}- 

case  t5:  n  =  Typerec[n]  (fi  [k]  t')  of  (rin t;  t^;  tv;  tv+;  rM) 

and 

T2  =  Tm  t' 

(\ot.k.  Typerec[n]  (r'  (Place  [k]  a))  of  (rint;  T->\  7v;  Tyt-;  r^)) 
We  get  that 

ti{«7x'}  = 

Typerec[K{«7x'}]  (P  [«{«7x'}]  t'{k7x'})  °f 
(Tint{«7x'};  r^W/x'}-,  tv{«7x'};  v^/x'};  vK/x'}) 

This  reduces  by  fs  to 

t-„K/x'}7V/x'}) 

(Aa:K{«7x'}- 

Typerec[n{n'/x'}]  (7'{«7x'})  (Place  [fc-jV/x'}]  «))  of 
(7int{/«7x'};  t-(k7x'};  w-jV/x'};  v-jV/x'};  t^{«7x'})) 

But  this  is  syntactically  equal  to  T2{k,/x/}- 

casef6:  n  =  Typerec[n]  (Place  [n]  t')  of  (tint;  t_>;  7v;  Tyt-;  rM) 
and  t 2  =  t\  We  get  that 

ri{«7x'}  = 

Typerec[h'{K7x'}]  (Place  [k{«7x'}]  t'W/x '})  of 
(rint{«7x'};  r-^{«7x'};  w-iy/x'};  v(«7x'};  v{«'/x'}) 

This  reduces  by  to  to  t'{k'/x'}-  1=1 

Definition  C.16  A  type  t  is  strongly  normalizable  if  every  reduc¬ 
tion  sequence  from  r  terminates.  We  use  v(t)  to  denote  the  length 
of  the  largest  reduction  sequence  from  r  to  a  normal  form. 

Definition  C.17  We  define  neutral  types,  n,  as 
no  ::  =  Ax-  r  |  Act :  n.  r 
n  ::=  a  \  no  t  \  nr  \  no  [k]  «[k] 

|  Typerec[ft]  r  of  (rint;  t_>;  tv;  Tyt-) 

Definition  C.18  A  reducibility  candidate  (also  referred  to  as  a 
candidate)  of  kind  k  is  a  setC  of  types  of  kind  k  such  that 

1.  if  t  £  C,  then  r  is  strongly  normalizable. 

2.  ifr  £  C  and  r  r  ,  then  t  £  C. 

3.  ifr  is  neutral  and  if  for  all  t'  such  that  r  t’  ,  we  have  that 

t'  £  C,  then  t  £  C. 

This  implies  that  the  candidates  are  never  empty  since  if  a  has 
kind  K,  then  a  belongs  to  candidates  of  kind  n. 

Definition  C.19  Let  n  be  an  arbitrary  kind.  Let  CK  be  a  candi¬ 
date  of  kind  k.  Let  C\iK—>§K—>K,^>K—>K  be  a  candidate  of  kind  \\k  — > 

— >  k  — t  k  — >  k.  Let  Cvx.  (x_,|)K)_>(x_>K)_„t  be  a  candidate 
of  kind  Vx-  (x  -*•  t|n)  -*■  (x  ->«)->«.  Let  C(Vx.  t,K)^(vx. 
be  a  candidate  of  kind  (Vx-  t|fv)  — +  (Vx-  k)  — *•  k.  Let 

C(t|«; _ >-b]K) _ ►(«; _ _ ►«;  be  a  candidate  of  kind  (f\n  —*  lj/t)  — ♦ 

(k  — >  k)  — >  k.  We  then  define  the  set  R^CK  of  types  of  kind  \\k 
as 

T  £  RiCK  iff 
V7"int  £  CK, 

VT— *  £  *\\K— *K— *K — 

Vtv  £  Cvx.  (x — — >-(x — ►«) — >-K’ 

Vr^f  £  C(vx.  b#0->(Vx-  «)-►* 

=>  Typerec[ft]  r  of  (rint;  t. Ty;  r^;  rM)  £ 


Lemma  C.20  IfCK  is  a  candidate  of  kind  n,  then  R^CK  is  a  candi¬ 
date  of  kind  t \k. 

Proof  Suppose  r  £  R^CK.  Suppose  Tint,  t_,,  tv,  t^t, 
and  t belong  to  Ck,  C^k — dvx-  (x — *I]b) — *(x — *«) — 
C(Vx-  Iik)— (Vx-k)-»k,  and  respectively,  where 

the  candidates  are  of  the  appropriate  kinds  (see  definition  C.19). 

Consider  t'  =  Typerec[K]  t  of  (Tint;  t^;  tv;  t +;  tm).  By 
definition  this  belongs  to  CK.  By  property  1  of  definition  C.18,  t' 
is  strongly  normalizable  and  therefore  t  must  be  strongly  normal¬ 
izable. 

Consider  t'  =  Typerec[ft]  t  of  (nnt;  tv;  t"v+;  tm).  Sup¬ 
pose  t  ti.  Then  r'  Typerec[«]  ti  of  (Tint;  t^;  tv;  t^v;  tm). 
Since  t'  £  Cre.  Typerec[fc]  ti  of  (Tint;  7v;  r^f;  tm)  belongs 
to  by  property  2  of  definition  C.18.  Therefore,  by  definition,  ti 
belongs  to  R^CK. 

Suppose  t  is  neutral  and  for  all  ti  such  that  t  ti,  ti  £ 
R\fCK.  Consider  t'  =  Typerecf^:]  t  of  (nnt;  t^;  tv;  tv+;  t^). 
Since  we  know  that  Tint,  t_»,  tv,  t^v,  and  tm  are  strongly 
normalizable,  we  can  induct  over  len  =  v(T\„t)  +  v(t _,)  + 
tz(7v)  +  tz(Tyf)  +  i^(t ti).  We  will  prove  that  for  all  values  of 
fen,  the  type  Typerec[n]  t  of  (Tint;  t^;  tv;  u;  tm)  always  re¬ 
duces  to  a  type  that  belongs  to  CK\  given  that  Tint  £  CK,  and 
T" — ,  £  — ,ijK— *k— and  tv  £  f-vx-  (x- ^ixl^tx- atid 
Tyf  £  f^(Vx.  l|K)-*(Vx.  k)— and  T^t  £ 

•  fen  =  OThenT'  Typerec[n]  n  of  (Tint;  t^;  tv;  t^;  tm) 
is  the  only  possible  reduction  since  t  is  neutral.  By  the  as¬ 
sumption  on  Ti,  this  belongs  to  CK . 

•  len  =  k  +  1  For  the  inductive  case,  assume  that  the 

hypothesis  is  true  for  fen  =  k.  That  is,  for  fen  =  k, 
the  type  Typerec[n]  t  of  (Tint;  i"-^;  tv;  tv+;  tm)  always 
reduces  to  a  type  that  belongs  to  CK\  given  that  Tint, 
t — . ,  Tv,  T^+,  and  t^  belong  to  C k ,  C ^ — . q — , ,, — . — . ,, , 
^Vx-  (x-^Sx)^(x^«)^k’  C(liK^liK)^(K^K)^K,  and 
C(Iib-»5k)— (k-»k)— K  respectively.  By  property  3  of 
definition  C.18,  Typerec[n]  t  of  (nnt;  t^;  tv;  t^;  tm) 
belongs  to  CK  for  fen  =  fc.  Consider 

t'  =  Typerec[n]  t  of  (Tint;  t^;  tv;  ;  tm) 

for  fen  =  fe  +  1.  This  can  reduce  to 

Typerec[n]  ti  of  (Tint;  t^;  7v;  t^;  tm)  which  be¬ 
longs  to  CK.  The  other  possible  reductions  are  to 
Typerec[n]  t  of  (r{nt;  t^;  7v;  t^ ;  t^)  where  7int  r'nt,  or 
to  Typerec[n]  t  of  (-Tint;  t7;  tv;  t^;  t^)  where  t^  t7, 
or  to  Typerec[n]  t  of  (Tint;  t^;  t^;  Tyf;  tm)  where 
tv  Tv,  or  to  Typerec[n]  t  of  (Tint;  t^;  tv;  t^;  tm) 
where  T^f  t7,  or  to 

Typerec[n]  t  of  (T^t;  t^;  tv;  t^;  t')  where  tm  t/,. 
By  property  2  of  definition  C.18,  each  of  t^,  t7,  Ty,  t7, 
and  t,(  belong  to  the  same  candidate  as  before.  Moreover, 
fen  =  k  for  each  of  the  reducts.  By  the  inductive  hypothesis, 
each  of  the  reducts  belongs  to  CK. 

Therefore,  by  property  3  of  definition  C.18, 
Typerec[n]  t  of  (Tint;  t^;  tv;  tlh-;  tm)  belongs  to  CK.  Therefore, 

T  £  R^Ck.  □ 

Definition  C.21  Let  C\  and  C2  be  two  candidates  of  kinds  ki  and 
K2.  We  then  define  the  set  Ci  — *■  C2,  of  types  of  kind  K\  — *  K2,  as 

T  £  Ci  — >  C2  iff  Vt'(t'  £  Ci  =>  T  T1  £  C2) 

Lemma  C.22  IfCi  and  C2  are  candidates  of  kinds  K]  and  H2,  then 
Ci  —*  C2  is  a  candidate  of  kind  Ki  — >  K2. 
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Proof  Same  as  lemma  B. 22  for  Xf.  □ 

Definition  C.23  We  use  x  to  denote  the  set  \i ,  ■  ■  ■ ,  X«  °f  X ■  We 
use  a  similar  syntax  to  denote  a  set  of  other  constructs. 

Definition  C.24  Let  k[X]  be  a  kind  where  X  contains  all  the  free 
kind  variables  of  k.  Let  k  be  a  sequence  of  closed  kinds  of  the 
same  length  and  C  be  a  sequence  of  candidates  of  the  correspond¬ 
ing  kind.  We  now  define  the  set  SK{C/X\  of  types  of  kind  k{k/x} 
as 

1.  if  k  =  then  SK[C/X]  =  R\\SK’  [C/x]- 

2.  ifn  =  Xi,  then  SK[C/X]  =  C;. 

3.  ifn  =  m  — >  k2.  then  SK[C/x ]  =  SK1  [C/X]  — >  SK2  [C/X]. 

4.  if  k  —  Vx-KT  then  5K[C/X]  =  the  set  of  types  r  of  kind 
k{k/X}  such  that  for  every  kind  k"  and  reducibility  candi¬ 
date  C"  of  this  kind,  t  [k"\  G  5k/  [C,  C" /X,  x]- 

Lemma  C.25  SK  [C /X]  is  a  reducibility  candidate  of  kind 
k{k/X}. 

Proof  For  k  =  \\n' ,  the  lemma  follows  from  the  inductive  hy¬ 
pothesis  on  k'  and  lemma  C.20.  The  rest  of  the  proof  is  the  same 
as  lemma  B.25  for  Xf.  □ 

Lemma  C.26  SK{K'/x'}  [C/x]  =  SK  [C,  SK>  [C/X]/X,  xi 

Proof  The  proof  is  by  induction  over  the  structure  of 
k.  Suppose  k  =  Then  the  LHS  is  equal  to 

R\f <SK1{K'/x'}[C/X]-  By  the  inductive  hypothesis  on  m,  this  is 
equal  to  R^S^  [C,  S^i  [C/X]/X>  x']-  By  definition,  the  RHS  is 
equal  to  RtlSK1  [C,  SK ,  [C/x]/X,  x']- 

The  other  cases  are  the  same  as  lemma  B.26  for  Xf.  □ 

Proposition  C.27  From  lemma  C.25,  we  know  that 
< S[]k_i|K_.k->k-*k[C/X]  is  a  candidate  of  kind  (tj/c  — >  \\n  — * 
«){«/x},  that  <SVx.  (x^t|K)-,(x^«)^«[C/X]  is  a 
candidate  of  kind  (Vx-  (x  - >  tlK)  (X  — *  k)  — >  k){k/X}.  that 
<S(Vx- &«)-►( vx.k)-*k[C/X]  is  a  candidate  of  kind  ((Vx-  \\ts)  — > 
(Vx-k)  ->  k){k/X}.  <S(|,K_>i1K)_(K_>K)_(t[C/X]  «  a  candi¬ 

date  of  kind  ((t]K  — >  \\k)  — >  (k-»k)  — >  k){/5/X}-  /«  t/ie  rest 
o/ffte  section,  we  will  refer  to  the  above  candidates  as  <S_>[C/X], 
5v[C/X].  5^ [C/X],  and  [C/X]  respectively. 

Lemma  C.28  int  £  Svx.  bxP/x] 

Proof  This  is  true  if  for  all  kinds  k{k/X}  and  the 
corresponding  candidate  <5>K[C/x],  int  [«{7T/x}]  belongs 
to  5|,x[C,5k[C/X]/XiX]-  This  is  true  if  int  [k{k/X|] 
belongs  to  R^SX[C,  SK[C/X\/X,  xl-  This  implies  that 
int  [k{k/X}]  belongs  to  7?^5K[C/X]-  This  is  true  if 
Typerec[ft{ic/X}]  int[K{it/X}]  of  (Tint;  t. rv;  r^;  rM)  belongs 
to  5k[C/X];  given  that  rint  €  <Sk[C/X]>  and  t_,  £  <S_>[C/X],  and 
Tv  G  <Sv[C/x],  and  G  SV+[C/X],  and  rM  G  <SM  [C/x]  - 

Since  Tint,  t_>,  tv,  tv,  and  rM  are  strongly  normalizable,  we 
will  induct  over  len  =  n(Tmt)  +  !z(t_)  +  t(tv)  +  ^(u)  + 
t(tm).  We  will  prove  that  for  all  values  of  len,  the  type 
Typerec[«{/t/X}]  int  [k{k/X}]  of  (Tnt!  t_;  tv;  t^v;  tm)  always 
reduces  to  a  type  that  belongs  to  <SK[C/X]-  The  conditions  for 


the  hypothesis  are  that  Tint  G  SK[C/x],  and  t_»  G  iS_>[C/x],  and 
tv  G  <SV[C/X],  and  tv+  G  <Svv[C/X],  and  tm  G  5m[C/X]-  Consider 
the  neutral  type 

t  =  Typerec[n{n/X}]  int  [k{k/X}]  of  (Tnt;  t^;  tv;  T/-;  tm) 

•  len  =  0  The  only  reduction  of  t  is  to  Tnt  which  by  assump¬ 
tion  belongs  to  SK  [C /X]  • 

•  len  =  k  +  1  Assume  that  the  inductive  hypothesis 
is  true  for  len  =  k.  That  is,  for  len  =  k,  the  type 
Typerec[n{n/X}]  int  [n{n/X}]  of  (Tint;  t-5  Ty;  Vj  tm) 
always  reduces  to  a  type  that  belongs  to  <SK[C/X]; 
given  that  Tnt  G  <SK[C/X],  and  t_,  G  <S_»[C/X],  and 
Tv  G  <Sv[C/X],  and  Tyv  G  Sy+[C/X],  and  t^gS^C/x]. 

By  property  3  of  definition  B.18,  for  len  =  k,  the  type 
Typerec[n{n/X}]  int  [n{n/X}]  of  (Tnt;  r_;  tv;  T/-;  tm) 
belongs  to  <SK[C/X]-  Consider  the  case  for  len  =  k  +  1. 
Apart  from  the  ti  reduction,  the  other  possible  reductions  are 
to  Typerec[n{7t/X}]  int[n{7t/X}]  of  (t^;  t^;  tv;  tv f;  tm) 

where  Tint  Tj'nt ,  or  to 

Typerec[n{n/X}]  int  [n{n/X}]  °f  (Tnt;  t'_\  tv;  tv+;  tm) 
where  t^  t^,  or  to 

Typerec[n{n/X}]  int  [n{n/X}l  of  (Tnt;  t^;  t^;  t^;  tm) 
where  tv  Ty,  or  to 

Typerec[n{n/X}]  int  [«{n/X}]  of  (Tnt;  t_;  tv;  V;  tm) 
where  Ty+  tC.,  or  to 

Typerec[n{n/X}]  int  [n{n/X}]  of  (Tnt;  t^;  tv;  t^;  t^) 
where  tm  t(,.  By  property  2  of  definition  C.18,  each 
of  Tint,  t(_>,  Ty,  t^.,  and  t(,  belong  to  the  same  candidate 
as  before.  Moreover,  len  =  k  for  each  of  the  reducts. 
Therefore,  from  the  inductive  hypothesis,  each  of  the  reducts 
belongs  to  SK  [C /X]  ■ 

Therefore,  the  neutral  type  t  always  reduces  to  a  type  that  be¬ 
longs  to  SK  [C/x).  By  property  3  of  definition  C.18,  t  G  <5>K[C/x]- 
□ 

Lemma  C.29  G  5Vx.  i,x_^_Sxp/X] 

Proof  This  is  true  if  for  all  kinds  k{k/x}  and  the  cor¬ 
responding  candidate  <Sre[C/X],  we  have  that  — » [n{n/X}] 
belongs  to  <S|,x^i,x^Sx[C,  SK|C/X]/X,  X']-  This  is 

true  if  given  ti  G  5^x[C,  5k[C/x]/X:  x]  and  given 
T2  G  S^,SKm/X,x],  we  have  that  [k{k/X>]  ti  t2 
belongs  to  5[,X[C,  SK[C/X]/X>  x\-  This  is  true  if 
Typerec[n{7c/X}]  [k{k/X}]  n  t2)  of  (Tnt;  t^;  tv;  tv f ;  tm) 
belongs  to  SK[C/X\',  given  that  Tint  G  SK\C/X\,  and 
t-  G<S_[C/X],  and  tv  G  <Sv[C/X]>  and  Ty+  G  SV+[C/X], 

and  tmg5m[C/X]-  Since  the  types  ti,  T2,  Tnt,  t_,,  tv, 
tv,  and  Tft  are  strongly  normalizable,  we  will  induct  over 
len  =  t(ti)  +  t(t2)  +  v(r\nt)  +  !z(t_)  +  t(tv)  +  t(tv+)  +  t(tm). 

We  will  prove  that  for  all  values  of  len,  the  type 
Typerec[n{7t/X}]  (^*  [k{k/X}]  ti  t2)  of  (Tint;  t^;  tv;  t^v;  tm) 
always  reduces  to  a  type  that  belongs  to  SK[C/x\.  The  conditions 
for  the  hypothesis  are  that  n  G  RtjSK[C /x],  and  T2  G  f?t,5re[C/X], 
and  Tint  €  <SK[C/X],  and  t^  G  S^\C/X\,  and  Ty  G  <Sy[C/X],  and 
T^t  G  5y+[C/X],  and  tm  G  5m[C/X]-  Consider  the  neutral  type 

t  =  Typerec[«{7t/X}]  ( - [k{k/X}1  n  t2)  of  (Tnt!  t^;  tv;  Ty+;  tm) 
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•  len  =  0  Then  the  only  possible  reduction  is 

T  —  T— ►  T 1  T2 

(Typerec[«:{7t/x}]  n  of  (rint;  r^;  tv;  t^;  r^)) 
(Typerec[K{7t/x}]  r2  of  (Tint;  t^;  tv;  t^;  tm)) 


By  the  assumption 

on  n 

and  t 2,  both 

Typerec[K{7t/X}]  ti 

of 

(Tint,  T — . ,  Tv,  Ty+,  Ty,  j 

and  Typerec[fii{/t/X}] 

72  of 

(Tint!  T— >;  TV!  Tyf;  Tfi) 

belong  to  SK[C/X\. 

We 

also  know  that 

s^/x]  =  « 

Therefore,  we  get 

that  t  belongs  to  SK  [C /X]  ■ 

•  Zen  =  k  +  1  The  other  possible  reductions  come  from  the 
reduction  of  one  of  the  individual  types  n,  t2,  Tint,  t_»,  tv, 
Ty+,  and  r(J .  The  proof  in  this  case  is  similar  to  the  proof  of 
the  corresponding  case  for  lemma  C.28. 

Therefore,  the  neutral  type  r  always  reduces  to  a  type  that  be¬ 
longs  to  SK  [C/x].  By  property  3  of  definition  C.18,  r  £  SK  [C/x]  • 
□ 

Lemma  C.30  If  for  all  n  £  5K1[C/x],  r{ri/a}  G  *SK2[C/X], 
f/te«  Act :  ki{k/x}-  t  G  <SK1_K2  [C/X]- 

Proof  Same  as  lemma  B. 30  for  Af.  □ 

Lemma  C.31  V  G  ^>vx- Vx'-  (x/_ >lix)— ^xt^Vx]* 

Proof  This  is  true  if  for  all  kinds  k{k/x}  and  k,\{~k,/x}  and 
the  corresponding  candidates  SK[C/X\  and  <SK1[C/X],  and  a 
type  r  belonging  to  .  Sx^x[C,SK[C/x],SK1  [C/xVx,  X,  xl, 
we  have  that  V  [k{k/X}]  [ki{k/x}]  r  belongs  to 
<flixP,<Sre[C/X],<SK1[C/X]/X,X,x']-  This  implies  that 
V  [k{k/X}]  [ki{k/X}]  r  must  belong  to  R.^S^C /X\.  This 
is  true  if 

Typerec[K{ft/X}]  (V  [k{k/X }]  [«i{«/x}]  t)  of 

(Tint;  T_ ►;  Tv;  t^-;  t^) 

belongs  to  <SK[C/X];  given  that  Tint  G  5K[C/X],  and 
T— ►  G  iS_,[C/X]>  and  tv  G  <Sv[C/X],  and  G  5^ [C/x], 
and  t^  G  5M[C/X]-  Since  the  types  r,  Tint,  t_,,  tv,  tv+, 
and  tm  are  strongly  normalizable,  we  will  induct  over 
len  =  u(t)  +  tz(Tint)  +  v(t_)  +  i/(tv)  +  v(ry+)  + 

We  will  prove  that  for  all  values  of  len,  the  type 

Typerec[ft{7£/x}]  (V  [«{«/x}]  [«i{«/x}]  r)  of 
(Tint;  t_>.;  tv;  t^h-;  rM) 

always  reduces  to  a  type  that  belongs  to  SK  [C /x]  ■  The  con¬ 
ditions  for  the  hypothesis  are  that  t  G  SK1\C/X\  — >  7?i]5K[C/X], 
and  Tint  6  <SK[C/X]>  and  r_^  G  <S_>[C/X],  and  tv  G  Sv[C/X],  and 
Tv-  G  5y+[C/X],  and  tm  G  5m[C/X]-  Consider  the  neutral  type 
t  =  Typerec[^{7c/x}]  (V  [«{«/x}]  [«i{«/x}]  T)  of 

(Tint?  T_^;  TV;  Tv+ ;  Tyj,) 

•  Zen  =  0  The  only  possible  reduction  of  V  is  to 

t(  =  TV  [«l{«/X}]  t 

(Aa:tti{K/X}.Typerec[«;{fc/X}]  (to)  of 

(Tint,  T — , ,  Tv,  Ty-f,  T^)) 

ConsiderT"  =  Typerec[K.{7f/X}]  (t«)  of  (Tint;  t_»;  Ty;  tv r; 
For  all  ti  G  SKX  [C/X],  we  get  that 


t"{ti/ a}  =  Typerec[«;{/t/x}]  (tti)  of  (Tint;  t^;  tv;  t^;  tm) 
By  definition,  tti  belongs  to 

St,x  P,  <SK  [C/X] ,  SK1  [C/Xl/X,  X,  x']  which  is 

equivalent  to  [C/X]-  By  definition  then, 

Typerec[n{7f/X}]  (tti)  of  (Tint;  t_>;  tv;  t^;  tm)  be¬ 
longs  to  <SK[C/X]-  By  lemma  C.30,  Act  :  Ki{«;/X}.t" 
belongs  to  <SK1_»K[C/x]„  We  also  know  that 
Sv[C/X]  =  Svx.  (x-H«)-(x-^)-«P/x]-  Therefore, 

we  get  that  r(  belongs  to  [C /X]- 

•  Zen  =  k  +  1  The  other  possible  reductions  come  from  the 
reduction  of  one  of  the  individual  types  t,  Ti„t,  t_>,  tv,  Ty+, 
and  tm.  The  proof  in  this  case  is  similar  to  the  proof  of  the 
corresponding  case  for  lemma  C.28. 

Therefore,  the  neutral  type  t'  always  reduces  to  a  type  that  be¬ 
longs  to  SK  [C /X]  •  By  property  3  of  definition  C.  1 8,  t'  G  Sk  [C /X]  • 

□ 

Lemma  C.32  Place  G  <Svx.x-*lixP/x] 

Proof  This  is  true  if  for  all  kinds  k{k/X}  and  the  corresponding 
candidate  <SK[C/x],  and  a  type  t  belonging  to  <SK[C/X],  we  have 
that  Place  [tc{7c/X}]  t  belongs  to  5^[C,5k[C/x]/x,x]-  This  im¬ 
plies  that  Place  [k{7c/x}]  t  belongs  to  R§SK[C  /X\-  This  is  true  if 
Typerec[«{Tt/X}]  (Place  [n{n/X}]  t)  of  (Tint;  t^;  tv;  Ty+;  tm) 
belongs  to  <SK[C/X];  given  that  Tint  €  <Sre[C/X],  and 

T— ►  G  >S— >[C/X],  and  tv  £  <Sv[C/X]>  and  Tyf  £  S^[C/X], 

and  Tfj,  G  <SM[C/x],  Since  the  types  r,  Tint,  t_,  tv,  Ty f, 
and  tm  are  strongly  normalizable,  we  will  induct  over 
len  =  u(t)  +  Iz(Tlnt)  +  I '(t_)  +  t(tV)  +  i^Tyf)  +  iz(T^). 

We  will  prove  that  for  all  values  of  len,  the  type 

Typerec[«{Tc/X}]  (Place  [k{k/X}]  t)  of  (Tint;  t^;  tv;  r^;  tm) 
always  reduces  to  a  type  that  belongs  to  <SK[C/x].  The  conditions 
for  the  hypothesis  are  that  t  G  <Sre[C/X],  and  Tint  £  <5>k[C/X],  and 
T— ,  G  5_[C/X],  and  tv  G  Sv[C/X],  and  t^  £  5y+[C/X],  and 
tm  £  [C /X]  •  Consider  the  neutral  type 

/ 

T  = 

Typerec[K{7c/X}]  (Place  [k{k/X}]  t)  of  (Tint;  t^;  tv;  Ty+;  tm) 

•  Zen  =  0  The  only  possible  reduction  of  r'  is  to  t.  By  as¬ 
sumption,  this  belongs  to  SK  [C /X]  • 

•  len  —  k  +  1  The  other  possible  reductions  come  from  the 
reduction  of  one  of  the  individual  types  r.  Tint,  t_>,  tv,  X/f, 
and  tm.  The  proof  in  this  case  is  similar  to  the  proof  of  the 
corresponding  case  for  lemma  C.28. 

Therefore,  the  neutral  type  t'  always  reduces  to  a  type  that  be¬ 
longs  to  SK  [C /X]  •  By  property  3  of  definition  C.  1 8,  t'  £  SK  [C /X]  ■ 

□ 

Lemma  C. 33  p  £  tSvx.  (t]x— *hx)— tiixt^/x] 

Proof  This  is  true  if  for  all  kinds  k{k/x}  and  the  cor¬ 
responding  candidate  SK  [C /X],  and  a  type  t  belonging 
to  S^X[C,SK[C/X]/X,X],  we  have  that  p  [n{n/X}]  t 
belongs  to  <S^X [C,  <5K[C/X]/X,  x]-  This  implies  that 
|j[k{k/X}]t  belongs  to  R^SK[C/X]-  This  is  true  if 
t  ).  Typerec[«;{7c/X}]  (p  [«{k/X}]  t)  of  (Tint;  t^;  tv;  t^-;  tm) 

belongs  to  <SK[C/X];  given  that  Tnt  £  SK[C/X\,  and 
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T->£5_[C/x],  and  rv  £  5v[C/x],  and  £  5^[C/x], 
and  £  5p[C/x]-  Since  the  types  r,  Tint,  r_,,  rv,  rv+, 
and  tm  are  strongly  normalizable,  we  will  induct  over 
len  =  v{t  )  +  i/(7int)  +  v{t->)  +  i/(rv)  +  tz(rv+)  +  iz(r^). 
We  will  prove  that  for  all  values  of  len,  the  type 
Typerec[K{7t/x}]  (p  [k{k/x}]  t)  of  (rint;  r^;  rv;  rv+;  rM) 
always  reduces  to  a  type  that  belongs  to  5K[C/x]-  The  conditions 
for  the  hypothesis  are  that  r  £  5ijx^  tx[C,5«[C/x]/x,x],  and 
Tint  €  SK[C/x],  and  t_  £  5_[C/x],  and  rv  £  5v[C/x],  and 
T^f  G  <S_rt-[C/x],  and  tm  G  5m[C/x]-  Consider  the  neutral  type 
t  =  Typerec[K{«/x}]  (p  [k{k/x}]  t)  of  (Tint;  r^;  tv;  V ;  rM) 

•  len  =  0  The  only  possible  reduction  is  to 

t[  =  TMr(Aa:K{7t/x}. 

Typerec[«{K/x}]  (r  (Place  [k{k/x}]  «))  °f 


Consider 

n 

r 

(Tint;  T_ , ;  Tv;  Tv+ ;  T^)) 

=  Typerec[«{K/x}]  (t  (Place 

[«{«/x|] «))  of 

For  any 

(Tint;  T-^;  TV;  Tyf;  Tfij 

type  t i  belonging 

l 

to 

the 

candidate 

5k  [C/x],  we 

get 

that 

r"{n/a}  =  Typerec[fi;{/v/x}]  (r  (Place  [k{k/x}]  n))  of 

(Tint;  T— ►  ;  TV;  Tyf;  tm) 

By  lemma  C.32,  Place  G  5vx.x-»tix[C/x]-  Therefore, 
Place  [k{7t/x}]  ti  belongs  to  i?[,<SK[C/x]-  Therefore. 
t  (Place  [k{k/x}]  ti)  also  belongs  to  R^S^C /x\-  There¬ 
fore,  by  definition,  t"{ti/o\  belongs  to  SK[C/x\-  By 
lemma  C.30,  Act  :  k{k/x}- t"  belongs  to  5k-»k[C/x]-  We 
also  know  that  5M[C/x]  =  <S(|,K_>|,K)_>(K_(t)_>ls[C/x].  This 
implies  that  r[  belongs  to  5K[C/x]- 

•  len  =  k  +  1  The  other  possible  reductions  come  from  the 
reduction  of  one  of  the  individual  types  t.  Tint,  t_»,  tv,  tv+, 
and  tm.  The  proof  in  this  case  is  similar  to  the  proof  of  the 
corresponding  case  for  lemma  C.28. 

Therefore,  the  neutral  type  t'  always  reduces  to  a  type  that  be¬ 
longs  to  SK[C/x]-  By  property  3  of  definition  C.18,  r'  G  5«[C/x]- 
□ 

Lemma  C.34  If  for  every  kind  K  and  reducibility  candidate 
C  of  this  kind,  t{k' /x'}  6  SK[C,C'/x , xl.  then  A x’-r  G 
5Vx'.«[C/x]- 

Proof  Same  as  lemma  B. 32  for  \f .  □ 

Lemma  C.35  If  t  G  5Vx.«[C/x],  then  t[k'{k/x}}  £ 

5k{k'/x}  [C/x]/or  every  kind  k{k/x}- 

Proof  By  definition,  t  [fi/{it/x}]  belongs  to  SK[C,  C1  /x,  x]>  f°r 
every  kind  k'{k/x}  and  reducibility  candidate  C'  of  this  kind.  Set 
C'  =  SK'  [C/x]-  Applying  lemma  C.26  leads  to  the  result.  □ 

Lemma  C.36  V+  £  5Vx.  (Vxi.  M^HxP/x]- 

Proof  This  is  true  if  for  all  kinds  k{k/x},  and  the  cor¬ 
responding  candidate  5K[C/x],  and  a  fyPe  T  belonging 
to  5vxi .  tix  [C,  5K  [C/x]/X;  x]>  we  have  that  V+[k{7c/x}]t 

belongs  to  5[|X  [C,  5K[C/x]/x>  x]-  This  implies  that 

V+[/c{7t/x}]  t  belongs  to  f^5K[C/x]-  This  is  true  if 


Typerec[fv{/t/ x}]  (V+[tt{«;/x}]  t)  of  (Tint;  t^;  tv;  t^;  tm) 

belongs  to  5K[C/x];  given  that  Tint  G  5re[C/x]>  and 

T— *  G  5— >[C/x],  and  tv  G  5v[C/x],  and  G  5^  [C/x], 

and  t^  G  5M[C/x]-  Since  the  types  t,  7int,  t_,  7v,  T^t-, 
and  tm  are  strongly  normalizable,  we  will  induct  over 
len  =  v(t)  +  v(r\nt)  +  +  i'(tv)  +  +  iz(t^). 

We  will  prove  that  for  all  values  of  len,  the  type 

Typerec[K{7t/x}]  (V  [k{k/x} ]  t)  of  (-tint;  tv;  tv f;  tm) 
always  reduces  to  a  type  that  belongs  to  5K[C/x]-  The  conditions 
for  the  hypothesis  are  that  t  £  5vxi.  iiX[C,  5K[C/x]/x,  X],  and 
Tint  e  >SK [C/x],  and  t_»  G  5_,[C/x],  and  tv  €  5v[C/x],  and 
tv f  G  5v+[C/x],  and  tm  G  5m[C/x]-  Consider  the  neutral  type 
t  =  Typerec[/r{7c/x}]  (V+  [k{k/x}]  t)  of  (Tint;  t^;  tv;  t^;  tm) 

•  len  =  0  The  only  possible  reduction  of  t'  is  to 
V  t  (Ax-  Typerec[K{fc/x}]  (t  [x])  of  (rint;  t^;  tv;  t^v;  tm)) 
Consider 

t"  =  Typerec[h'{«/x}]  (t  [x])  of  (Tint;  t^;  tv;  t/-;  tm) 

For  an  arbitrary  kind  «/  and  corresponding  candidate  C' ,  we 
get  that 

t”W/x}  =  Typerec[«{7f/x}]  (t[k'])  of  (Tint;  t^;  tv;  Tyf;  tm) 

By  the  assumption  on  t,  we  get  that  t  [«;'] 

belongs  to  R:SK[C /x\-  By  definition, 

Typerec[K{7f/x}]  (t  [«'])  of  (Tint;  t^;  tv;  tv+;  tm) 
belongs  to  <Sk [C/x]-  Since  x  does  not  occur  free  in  k,  we 
may  also  write  that  T^j/C/xl  belongs  to  5K  [C,  C'/x,  x}-  By 
lemma  C.34,  this  implies  that  Ax-  t"  belongs  to  5vx.«[C/x]- 
We  also  know  that  rv f  G  5(vx.  (vx. «)— K[C/x].  Also, 

X  does  not  occur  free  in  k.  Therefore,  we  get  that 
Tyf  t  (Ax',  t")  belongs  to  5«[C/x]- 

•  Zen  =  fc  +  1  The  other  possible  reductions  come  from  the 
reduction  of  one  of  the  individual  types  t,  Tint,  t_>,  tv,  t^t, 
and  tm.  The  proof  in  this  case  is  similar  to  the  proof  of  the 
corresponding  case  for  lemma  C.28. 

Therefore,  the  neutral  type  t'  always  reduces  to  a  type  that  be¬ 
longs  to  5k[C/x]-  By  property  3  of  definition  C.18,  t'  G  5k[C/x]- 
□ 

We  now  come  to  the  main  result  of  this  section. 

Theorem  C.37  (Candidacy)  Let  t  be  a  type  of  kind  k.  Sup¬ 
pose  all  the  free  type  variables  of  t  are  in  ai  . . .  an  of  kinds 
Ki ...  Kn  and  all  the  free  kind  variables  of  k,  Ki  ...  Kn  are  among 
XI  . . .  Xm-  If  Ci  .  . .  Cm  are  candidates  of  kinds  K\  . . .  Km  and 
Ti  . . .  Tn  are  types  of  kind  rt i{k'/x}  . . .  Kn{n' /x}  which  are  in 
5ki  [C/x]  •  •  •  5k„  [C/x],  then  t{k’ /x}{r /a}  belongs  to  SK[C/x\. 

Proof  The  proof  is  by  induction  over  the  structure  of  t. 

The  cases  of  int,  — V,  V+,  |i,  and  Place  are  covered  by  lem¬ 
mas  C.28  C.29  C.31  C.36  C.33  C.32. 

Suppose  t  =  ai  and  n  =  Ki.  Then  t{k//x}{t/o:}  =  rt.  By 
assumption,  this  belongs  to  SKi  [C/x]- 

Suppose  t  =  t[  T2-  Then  t[  :  k!  — >  k  for  some  kind  k!  and 
T2  :  k! .  By  the  inductive  hypothesis,  t({k'/x}{t/q}  belongs  to 
5k'->k[C/x]  and  t^k' /x}{t /a}  belongs  to  SK>  [C/x[.  Therefore, 
(tH^'/xHt/o})  (t2{k'/x}{t/q})  belongs  to  5K[C/x]- 

Suppose  t  =  t' [k'\.  Then  t'  :  Vxi-tti  and  k  = 
«i{«'/Xi}-  By  the  inductive  hypothesis,  T/K'/x}{f/a}  belongs 
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to  SVxi.  K1  [C/x]-  By  lemma C.35  t' {k' /x}{t/ol}  [k/{«'/x}]  be¬ 
longs  to  SK1  /X1 }  [C /x]  which  is  equivalent  to  <Sre  [ C /X\ ■ 

Suppose  t  =  Typerec[K]  t'  of  (Tint;  tv;  t^v;  tm).  Then 
t'  :  [)«;,  and  Tint  :  k,  and  t ■_>  :  \\tt  — >  t]«  — >  /t  — >  k  — >  k, 

and  7V  :  Vx-  (x  — ►  tl«)  — >  (x  — * *  «)  — >  k,  and  t/-  :  (Vx- 1|«)  -» 
(Vx-  tt)  — ►  k  and  tm  :  (t|«  — >  t]At)  — ♦  (k —>  k)  — *  k.  By 
the  inductive  hypothesis  belongs  to  iS^fC/x], 

and  Tint{K'/x}{^/a}  belongs_to  5K[C/x],  and  T_{/t7x}{T/a} 
belongs  to  and  Tv-jV/xUr/a}  belongs 

to  Svx.(x-^«)-Kx-*»0->«P/X].  and  Tv+{K'/x}{T/a}  belongs 
t0  <5(vx.  (Vx-k)— k[C/x].  and  t^k' /X}{r/a}  belongs  to 

S( [,K_>t|K)_(K_>(c)_K[C/x].  By  definition  of  <S|,«[C/x], 

Typerec[K{tv'/x}]  ^{xVxH^/o}  °f 
(rintiK'/xH^/a};  T-{«7x}{^/a}; 

TvK/X}{T/a};  v{K'/X}{t/o}; 

^{k'/XI^/s}) 

belongs  to  5«[C/x]- 

Suppose  t  =  Ao/  :  k'.ti.  Then  ti  :  k"  where  the  free 
type  variables  of  ti  are  in  ai, . . . ,  a„,  a'  and  K  =  K  —> 
k" .  By  the  inductive  hypothesis,  ti{«'/x}{t,  t' /a,  c/}  be¬ 
longs  to  SKn  [C /x]  where  t'  is  of  kind  k'{k’/X}  and  belongs  to 
SK,[C/%  This  implies  that  (Ti{/t,/X}{T/Q'}){T,/a/}  (since  a' 
occurs  free  only  in  ti)  belongs  to  SK/<  [C/x]  •  By  lemma  C.30, 
Xa'  :k’{k'/X}-  (ti {«'/x}{r/a})  belongs  to  SK-^Kn  [C/x]. 

Suppose  t  =  A x'-T'-  Then  t'  :  k"  and  k  = 
Vx'-K"-  By  the  inductive  hypothesis,  t'{k',  k'/Xj  x'Ht/o:} 
belongs  to  <SK//  [C,  C'/x,  x']  f°r  an  arbitrary  kind  n'  and  candi¬ 
date  C'  of  kind  n'.  Since  x  occurs  free  only  in  t',  we  get 

that  (T'W/x}{T/a}){K’/X'}  belongs  to  SKn[C,C' /x,x']-  By 
lemma  C.34,  Ax'.  (/{k'/xK^/®})  belongs  to  5Vx'.  «"  [C/x]-  1=1 
Suppose  SWi  is  the  set  of  strongly  normalizable  types  of  kind 

Hi. 


Corollary  C.38  All  types  are  strongly  normalizable. 

Proof  Follows  from  theorem  C.37  by  putting  C;  =  SNi  and 

Ti  =  Qi.  □ 

C.3  Confluence 

Confluence  for  the  Xf  type  reduction  relation  is  proved  in  the  same 
way  as  the  Xf  type  reduction  confluence.  The  additional  cases 
follow  in  a  straightforward  manner. 
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